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. Abstract 

■ Knowledge extraction is a fundamental notion, modelling machine possession of values (wit- 
nesses) in a computational complexity sense. The notion provides an essential tool for crypto- 
graphic protocol design and analysis, enabling one to argue about the internal state of protocol 
players without ever looking at this supposedly secret state. However, when transactions are 
concurrent (e.g., over the Internet) with players possessing public- keys (as is common in cryp- 
tography), assuring that entities "know" what they claim to know, where adversaries may be 
well coordinated across different transactions, turns out to be much more subtle and in need 
of re-examination. Here, we investigate how to formally treat knowledge possession by parties 
(with registered public-keys) interacting over the Internet. Stated more technically, we look into 

[ the relative power of the notion of "concurrent knowledge-extraction" (CKE) in the concurrent 

zero-knowledge (CZK) bare public-key (BPK) model. 
q | We show the potential vulnerability of man-in-the-middle (MIM) attacks turn out to be a real 

security threat to existing natural protocols running concurrently in the public-key model, which 
motivates us to introduce and formalize the notion of CKE. Then, both generic (based on standard 

■ polynomial assumptions) and efficient (employing complexity leveraging in a novel way) imple- 
| mentations for J\fV are presented for constant-round (in particular, round-optimal) concurrently 

knowledge-extractable concurrent zero-knowledge (CZK-CKE) arguments in the BPK model. The 
efficient implementation can be further high practically instantiated for specific number-theoretic 
language. Along the way, we discuss and clarify the various subtleties surrounding the security 
formulation and analysis, which provides insights into the complex CZK-CKE setting. 

1 Introduction 

> ■ 

^ . Zero-knowledge (ZK) protocols allow a prover to assure a verifier of validity of theorems without 
giving away any additional knowledge (i.e., computational advantage) beyond validity. This notion 
was introduced by Goldwasser, Micali and Rackoff [43J and its generality was demonstrated by Gol- 
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dreich, Micali and Wigderson [42J. Since its introduction ZK has found numerous useful applications, 
and by now has been playing a central role for modern cryptography (particularly in cryptographic 
protocol design [701 13T] ). 

Traditional notion of ZK considers the security in a stand-alone (or sequential) execution of the 
protocol. Motivated by the use of such protocols in an asynchronous network like the Internet, where 
many protocols run simultaneously, studying security properties of ZK protocols in such concurrent 
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settings has attracted much research efforts in recent years, starting by Dwork, Naor and Sahai |27j . 
Informally, a ZK protocol is called concurrent zero-knowledge (CZK) if concurrent instances are 
all expected polynomial-time simulatable, namely, when a possibly malicious verifier concurrently 
interacts with a polynomial number of honest prover instances and schedules message exchanges as 
it wishes. 

The concept of "proof of knowledge" (POK), informally discussed in [33], was then formally 
treated (see [32j [5j [Ml E] ) . POK systems, especially zero-knowledge POK (ZKPOK) systems, play a 
fundamental role in the design of cryptographic schemes and protocols, enabling a formal complexity 
theoretic treatment of what does it mean for a machine to "know" something. Roughly speaking, a 
"proof of knowledge" means that a possibly malicious prover can convince the verifier that an J\fV 
statement is true if and only if it, in fact, "knows" (i.e., possesses) a witness to the statement (rather 
than merely conveying "proof of language membership," i.e., the fact that a corresponding witness 
exists) . 

With the advancement of cryptographic models where parties initially publish public-keys (partic- 
ularly for achieving round-efficient concurrently secure protocols |12j). knowledge extraction becomes 
more subtle (due to possible dependency on published keys), and needs re-examination. Here, we 
investigate the relative power of the notion of "concurrent knowledge-extraction" in the concurrent 
zero-knowledge bare public-key model. Namely, we investigate how to formally treat knowledge 
possessions for parties (which own public-keys) interacting over the Internet. 

The bare public-key (BPK) model, originally introduced by Canetti, Goldreich, Goldwasser and 
Micali [11], is a natural and relatively weak cryptographic model. A protocol in this model simply 
assumes that all verifiers have each deposited a public key in a public file before (or while) user inter- 
actions take place. No assumption is made on whether the public-keys deposited are unique or valid 
(i.e., public keys can even be "nonsensical," where no corresponding secret-keys exist or are known). 
That is, no trusted third party is assumed, the underlying communication network is assumed to 
be adversarially asynchronous (i.e., arbitrary message delays), and preprocessing is reduced to min- 
imally non-interactively posting public-keys in a public file (dynamic posting is allowed assuming a 
reasonable amount of time between key posting and key usage [H]). In many cryptographic settings, 
availability of a public key infrastructure (PKI) is assumed or required, and in these settings the 
BPK model is, both, natural and attractive (note that the BPK model is, in fact, a weaker version of 
PKI where in the later added key certification is assumed). It was pointed out by Micali and Reyzin 
|59j that the BPK model is, in fact, applicable to interactive systems in general. 

Verifier security (i.e., soundness) in the BPK model (against malicious provers) turned out to be 
more involved than anticipated, as was demonstrated by Micali and Reyzin [59] who showed that 
under standard intractability assumptions there are four distinct meaningful notions of soundness, 
i.e., from weaker to stronger: one-time, sequential, concurrent and resettable soundness. Here, we 
focus on concurrent soundness, which, roughly speaking, means that a possibly malicious probabilistic 
polynomial-time (PPT) prover P* cannot convince the honest verifier V of a false statement even 
when P* is allowed multiple interleaving interactions with V in the public-key model. They also 
showed that any black-box ZK protocol with concurrent soundness in the BPK model (for non- 
trivial languages outside BVV) must run at least four rounds [59]. It was also shown in [31 [59] 
that black-box ZK arguments with resettable soundness only exist for trivial (i.e, BVV) languages 
(whether in the BPK model or not). 

Due to the above, it was implied that concurrent soundness might be the best verifier security one 
can hope for in the case of black-box ZK arguments in the BPK model. In this work, we show that 
this intuition is not entirely correct, at least not in the POK setting where provers are polynomial 
time. Specifically, concurrent soundness only guarantees that concurrently interleaved interactions 
cannot help a malicious prover validate a false statement in the public-key model. However, it does 
not prevent a malicious prover from validating a true statement but without knowing any witness for 
the statement being proved. One reason that this potential vulnerability is not merely a theoretical 
concern is that: all concurrent ZK protocols in the BPK model involve a sub-protocol in which the 
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verifier proves to the prover the knowledge of the secret-key corresponding to its registered public- 
key; Further, this type of proofs are also quite common in practical cryptographic protocols in the 
public-key model. A malicious prover, in turn, can potentially exploit these proofs by the verifier 
in other sessions, without possessing a witness to these sessions' statements. We show concrete 
instances of this vulnerability. This issue, therefore, motivates the need for careful definitions and 
for achieving concurrent verifier security for concurrent ZK POK in the BPK model, so that provably 
one can remedy the above security vulnerability. 

1.1 Our contributions 

We start by investigating the subtleties of concurrent verifier security in the public-key model in 
the case of proof of knowledge. Specifically, we show concurrent interleaving and malleating attacks 
against some existing natural protocols running concurrently in the BPK model, which shows that 
concurrent soundness and normal arguments of knowledge (and also traditional concurrent non- 
malleability) do not guarantee concurrent verifier security in the BPK model. 

Then, we formulate concurrent verifier security that remedies the vulnerability as demonstrated 
by the concrete attacks which are of the man-in-the-middle nature. The security notion defined is 
named concurrent knowledge-extraction (CKE) in the public-key model, which essentially means 
that for statements whose validations are successfully conveyed by a possibly malicious prover to an 
honest verifier (with registered public-key) by concurrent interactions, the prover must "know" the 
corresponding witnesses. We then present both generic (based on standard polynomial assumptions) 
and efficient (employing complexity leveraging in a novel way) implementations of constant-round 
(in particular, round-optimal) CZK-CKE arguments for J\fV in the BPK model. The efficient imple- 
mentation can be further high practically instantiated for specific number-theoretic language. The 
techniques developed in this work for achieving CZK and CKE simultaneously could be of inde- 
pendent interests. Specifically, although some non- malleable building tools seem to be intrinsically 
required for achieving CZK-CKE in the BPK model, our solution does not employ any non-malleable 
tools. Along the way, we discuss and clarify the various subtleties surrounding the security formula- 
tion and analysis, which provides insights into the complex CZK-CKE setting. 

As knowledge-extraction and zero-knowledge (and also the public-key model) are fundamental to 
cryptography, we suggest that the clarifications and formulation of CKE in the public-key model, the 
(both generic and efficient) CZK-CKE constructions and techniques developed in this work, along 
with the discussions and clarifications of the various subtleties surrounding the security formulation 
and analysis, are fundamental and can serve as a basis to formulate and achieve more complex cryp- 
tographic protocols in the public-key model. In particular, the CZK-CKE protocols are themselves 
the concurrent version, in the public-key model, of the highly useful and fundamental zero-knowledge 
arguments of knowledge. 

1.2 Related works 

Let us review some recent results and developments; we have been involved in numerous recent 
works which we review together with related works. While the list of related works and related 
issues is quite lengthy, the bottom line is that the notion defined and achieved herein is unique and 
independent of various related issues and works, and it captures knowledge extraction as a basic 
issue in concurrent executions in public key models. 

Concurrent ZK (actually, resettable ZK that is stronger than CZK) arguments for AfV with a 
provable sub-exponential-time CKE property in the BPK model were first achieved in [73], which 
make sense only for sub-exponentially hard languages. Standard polynomial-time CKE for concur- 
rent ZK arguments in the BPK model were left over there as an open problem, which we answer 
here. We note that the techniques used in [73] do not render CZK with polynomial-time concurrent 
knowledge-extraction, and the subtle issues of knowledge-extraction independence were not realized 
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and formalized there. 

Two constructions for concurrent ZK arguments with sequential soundness in the BPK model 
under standard assumptions were proposed in the incomplete work of [75] (the early version since 
January 2004). But, the security proof of concurrent soundness turned out to be flawed, as observed 
independently in [244175]. One construction was fixed to be concurrently sound in [21] by introducing 
some new techniques, and recently another construction was fixed to be concurrently sound in [20] 
following the spirit of [23]. Given these works, the current work (with its preliminary version appeared 
in [72]) further shows that the concurrently sound CZK arguments of [24\ [20] do not capture CKE 
and are not concurrently knowledge-extractable when it comes to proofs of knowledge. 

Recently in another separate work [71], which deals with concurrent non-malleability (CNM) in 
the BPK model, we further clarify that the formulations of concurrent non-malleability (CNM) in 
existing works |63[ [2T] do not capture CKE in the public-key model. (Note that the preliminary 
version of this work, appeared in August-2006 update of the incomplete work of [76], is independent 
of j63j EI]-) It is also demonstrated there that the CNMZK protocol of [21] is not concurrently 
knowledge-extractable (in the sense that concrete attacks exist). The line of CNM explorations in 
the BPK model is outside of the scope of the current work. 

In general, the issue of concurrent composition of proof of knowledge (POK) could be traced back 
to the works [251157] . 

1.3 Organization 

We recall basic notions and tools in Section[2j In Section[3l we describe (an augmented version) of the 
BPK model with adaptive language selections based on public-keys. In Section [H we present the mo- 
tivation, by concrete attacks on naturally existing protocol, for concurrent knowledge-extractability 
in the public-key model. In Section [5j we formulate CKE in the BPK model, and make clarifica- 
tions and justification of the CKE formulation. In Section [6j we present the generic implementation 
of constant-round CZK-CKE arguments for MV in the BPK model under standard hardness as- 
sumptions. In Section [7J we present the efficient and practical implementations of constant-round 
CZK-CKE arguments for MV in the BPK model with the usage of complexity leveraging in a minimal 
and novel way, and discuss and clarify in depth the various subtleties. 

2 Preliminaries 

We use standard notations and conventions below for writing probabilistic algorithms, experiments 
and interactive protocols. If A is a probabilistic algorithm, then A(x±, X2, • • • ;r) is the result of 
running A on inputs xx,x%, ■ ■ ■ and coins r. We let y <— A(x%, X2, ■ ■ ■ ) denote the experiment of 
picking r at random and letting y be A(x±,X2, • ■ ■ ; r). If S is a finite set then x <— S is the operation 
of picking an element uniformly from S. If a is neither an algorithm nor a set then x <— a is a simple 
assignment statement. By [R\; • • • ; R n : v] we denote the set of values of v that a random variable 
can assume, due to the distribution determined by the sequence of random processes R±, i?2, • • • , Rn- 
By Pr[i?i; • • • ; R n : E] we denote the probability of event E, after the ordered execution of random 
processes R\, ■ ■ ■ , R n . 

Let (P, V) be a probabilistic interactive protocol, then the notation (2/1,2/2) (P(xi), V(x2))(x) 
denotes the random process of running interactive protocol (P, V) on common input x, where P has 
private input x\, V has private input x%, y\ is P's output and 7/2 is V's output. We assume w.l.o.g. 
that the output of both parties P and V at the end of an execution of the protocol {P, V) contains 
a transcript of the communication exchanged between P and V during such execution. 

The security of cryptographic primitives and tools presented in this section is defined with re- 
spect to uniform polynomial-time or sub-exponential-time algorithms (equivalently, polynomial-size 
or sub-exponential-size circuits). When it comes to non-uniform security, we refer to non-uniform 
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polynomial-time or sub-exponential-time algorithms (equivalently, families of circuits of polynomial 
or sub-exponential size). 

Definition 2.1 (one-way function) A function f : {0, 1}* — ► {0, 1}* is called a one-way function 
(OWF) if the following conditions hold: 

1. Easy to compute: There exists a (deterministic) polynomial-time algorithm A such that on 
input x algorithm A outputs f(x) (i.e., A{x) = f(x)). 

2. Hard to invert: For every probabilistic polynomial-time PPT algorithm A' , every positive poly- 
nomial p(-), and all sufficiently large n's, it holds Pr[A'(f(U n ), l n ) <G f~ 1 (f(U n ))] < 
where U n denotes a random variable uniformly distributed over {0, l} n . A OWF f is called 
sub-exponentially strong if for some constant c, < c < 1, for every sufficiently large n, and 
every circuit C of size at most 2 n ° , Pv[C{f{U n ), 1") G / _1 (/(f7 n ))] < 2~ n ° ■ 

Definition 2.2 ((public-coin) interactive argument /proof system) A pair of interactive ma- 
chines, (P, V), is called an interactive argument system for a language L if both are probabilistic 
polynomial-time (PPT) machines and the following conditions hold: 

• Completeness. For every x G L, there exists a string w such that for every string z, 
Pt[(P(w), V{z)){x) = 1] = 1. 

• Soundness. For every polynomial-time interactive machine P* , and for all sufficiently large n's 
and every x ^ L of length n and every w and z, Pr[(P*(w), V(z)){x) = 1] is negligible in n. 

An interactive protocol is called a proof for L, if the soundness condition holds against any (even 
power-unbounded) P* (rather than only PPT P*). An interactive system is called a public-coin 
system if at each round the prescribed verifier can only toss coins and send their outcome to the 
prover. 

Commitment schemes enable a party, called the sender, to bind itself to a value in the initial 
commitment stage, while decurving it from the receiver (this property is called hiding). Furthermore, 
when the commitment is opened in a later decommitment stage, it is guaranteed that the "opening" 
can yield only the single value determined in the commitment phase (this property is called binding). 
Commitment schemes come in two different flavors: statistically-binding computationally- hiding and 
statistically-hiding computationally-binding. 

Definition 2.3 (statistically /perfectly binding bit commitment scheme) A pair of PPT in- 
teractive machines, (P,V), is called a perfectly binding bit commitment scheme, if it satisfies the 
following: 

Completeness. For any security parameter n, and any bit b G {0, 1}, it holds that 
Pr[(a,/3) <- (P(b), V)(l n ); (t, (t,v)) <- (P(a), V(/?)>(1") :v = b] = l. 

Computationally hiding. For all sufficiently large n's, any PPT adversary V* , the following two 
probability distributions are computationally indistinguishable: [(a, (3) <— {P(0),V*)(l n ) : (5} 
and[(a',P')^(P(l),V*)(l n ):P>}. 

Perfectly Binding. For all sufficiently large n's, and any adversary P* , the following probability is 
negligible (or equals for perfectly-binding commitments): Pr[(a,/3) <— (P* , V)(l n ); (t, (t,v)) <— 
{P*(a),V((3))(l n );(t',(t',v')) <- (P*(a),V(P))(l n ):v,v' G {0,1}A«^«']. ' 

That is, no ( even computational power unbounded ) adversary P* can decommit the same 
transcript of the commitment stage both to and 1. 



Below, we recall some classic perfectly-binding commitment schemes. 

One-round perfectly-binding (computationally-hiding) commitments can be based on any one- 
way permutation OWP [SJH2]. Loosely speaking, given a OWP / with a hard-core predict b (cf. 
|34j ) . on a security parameter n one commits a bit a by uniformly selecting x € {0, 1}™ and sending 
(f(x), b(x) © a) as a commitment, while keeping x as the decommitment information. 

For practical perfectly-binding commitment scheme, in this work we use the DDH-based ElGamal 
(non-interactive) commitment scheme [29]. To commit to a value v £ Z q , the committer randomly 
selects u,r € Z q , computes h = g u mod p and sends (h,g = g r ,h = g v h r ) as the commitment. The 
decommitment information is (r, v). Upon receiving the commitment (h,g,h), the receiver checks 
that h,g,h are elements of order q in Z*. It is easy to see that the commitment scheme is of 
perfectly-binding. The computational hiding property is from the DDH assumption on the subgroup 
of order q of Z* (for more details, see [29]). We also note that in [57] Micciancio and Petrank presented 
another implementation of DDH-based perfectly-binding commitment scheme with advanced security 
properties. 

Statistically-binding commitments can be based on any one-way function (OWF) but run in 
two rounds [60l US]. On a security parameter n, let PRG : {0, l} n — > {0, l} 3n be a pseudorandom 
generator, the Naor's OWF-based two-round public-coin perfectly-binding commitment scheme works 
as follows: In the first round, the commitment receiver sends a random string R € {0, l} 3n to the 
committer. In the second round, the committer uniformly selects a string s € {0, l} n at first; then to 
commit a bit the committer sends PRG(s) as the commitment; to commit a bit 1 the committer 
sends PRG(s) © R as the commitment. Note that the first-round message of Naor's commitment 
scheme can be fixed once and for all and, in particular, can be posted as a part of public-key in the 
public-key model. 

Definition 2.4 (trapdoor bit commitment scheme) A trapdoor bit commitment scheme (TC) 
is a quintuple of probabilistic polynomial-time (PPT) algorithms TCGen, TCCom, TCVer, TCK- 
eyVer and TCFake, such that 

Completeness. For any security parameter n, and any bit b € {0, 1}, it holds that: 
Pv[(TCPK,TCSK) <- TCGen(l n ); (c,d) <- TCCom(l n , TCPK, b) : 
TCKeyVer(l n , TCPK) = TCVer(l n , TCPK, c, b, d) = 1] = 1. 

Computationally Binding. For all sufficiently large n 's and for any PPT adversary A, the fol- 
lowing probability is negligible in n: Pr[(TCPK,TCSK) <— TCGen(l n ); (c, v±, i>2, di, da) <— 
A(l n , TCPK) : 

TCVer(l n , TCPK, c, v u d x ) = TCVer(P\ TCPK, c,v 2 ,d 2 ) = l/\v 1 ,v 2 e {0, 1} A «i + H- 

Perfectly (or computationally) Hiding. For all sufficiently large n 's and any TCPK such that 
TCKey Ver ( l n , TCPK) = 1, the following two probability distributions are identical (or com- 
putationally indistinguishable): [(cQ,do) <— TCCom(l ri , TCPK, 0) : Co] and 
[(ci,di) <— TCCom(l™, TCPK, 1) : cj. 

Perfect (or Computational) Trapdoorness. For all sufficiently large n's and any (TCP K,TCSK) E 
{TCGen(l n )} ; 3v\ € {0,1}, \/v 2 € {0,1} such that the following two probability distributions 
are identical (or computationally indistinguishable): 

[(ci,di) <- TCCom(l n ,rCP^,ui);^ <- TCFake(l n , TCPK, TCSK, ci,v\,d\,v 2 ) : (ci,4)] 
and [(c 2 ,d 2 ) <— TCCom(l n , TCPK, v 2 ) : (c 2 ,d 2 )}. 

Feige-Shamir trapdoor commitments (FSTC) |31j. Based on Blum's protocol for DHC, 
Feige and Shamir developed a generic (computationally-hiding and computationally-binding) trap- 
door commitment scheme |31| . under either any one-way permutation or any OWF (depending on 
the underlying perfectly-binding commitment scheme used). The TCPK of the FSTC scheme is 



(y = f( x )> G) (for OWF-based solution, TCPK also includes a random string R serving as the first- 
round message of Naor's OWF-based perfectly-binding commitment scheme), where / is a OWF and 
G is a graph that is reduced from y by the Cook-Levin A^P-reduction. The corresponding trapdoor 
is x (or equivalently, a Hamiltonian cycle in G) . The following is the description of the Feige-Shamir 
trapdoor bit commitment scheme, on a security parameter n. 

Round- 1. Let / be a OWF, the commitment receiver randomly selects an element x of length n in 
the domain of /, computes y = fix), reduces y (by Cook-Levin ./VP-reduction) to an instance 
of DHC, a graph G = (V, E) with q = \ V\ nodes, such that finding a Hamiltonian cycle in G is 
equivalent to finding the preimage of y. Finally, it sends (y, G) to the committer. We remark 
that to get OWF-based trapdoor commitments, the commitment receiver also sends a random 
string R of length 3ra. 

Round-2. The committer first checks the ./VP-reduction from y to G and aborts if G is not reduced 
from y. Otherwise, to commit to 0, the committer selects a random permutation, tt, of the 
vertices V, and commits (using the underlying perfectly-binding commitment scheme) the 
entries of the adjacency matrix of the resultant permutated graph. That is, it sends an q-by-q 
matrix of commitments so that the (Tr(i),Tr(j)) th entry is a commitment to 1 if G E, and 
is a commitment to otherwise; To commit to 1, the committer commits an adjacency matrix 
containing a randomly labeled g-cycle only. 

Decommitment stage. To decommit to 0, the committer sends tt to the commitment receiver 
along with the revealing of all commitments, and the receiver checks that the revealed graph 
is indeed isomorphic to G via tt; To decommit to 1, the committer only opens the entries of 
the adjacency matrix that are corresponding to the randomly labeled cycle, and the receiver 
checks that all revealed values are 1 and the corresponding entries form a simple g-cycle. 

Definition 2.5 (witness indistinguishability WI) Let (P, V) be an interactive system for a lan- 
guage L G MV ', and let Rl be the fixed MV witness relation for L. That is, x G L if there exists 
a w such that (x, w) G Rl- We denote by vieWy*X.(x) a random variable describing the transcript 
of all messages exchanged between a (possibly malicious) PPT verifier V* and the honest prover P 
in an execution of the protocol on common input x, when P has auxiliary input w and V* has aux- 
iliary input z. We say that (P, V) is witness indistinguishable for Rl if for every PPT interactive 
machine V* , and every two sequences W 1 = {w},.} x& l and W 2 = {w 2 } x& l for sufficiently long x, 
so that (x, w x ) G Rl and (x, w 2 ) G Rl, the following two probability distributions are computation- 
ally indistinguishable by any non-uniform polynomial-time algorithm: {x, vieWy],,% (x)} xE l,ze{0, l}* 

and {x, vieWy^'^ (x)} xe L, ze{o,i}* ■ Namely, for every non-uniform polynomial-time distinguishing 
algorithm D, every polynomial p(-), all sufficiently long and all z G {0, 1}*, it holds that 

\PiiD(x,z,vieWy^(x) = 1] - Pr[D(x, z, vieiVy^ (x) = 1]| < ^j^jy 

Definition 2.6 (strong witness indistinguishability SWI) Let (P, V) and all other notations 
be as in Definition \2.5l We say that (P, V) is strongly witness-indistinguishable for Rl if for 
every PPT interactive machine V* and for every two probability ensembles {X^,Y„ , Z^} n& N and 
{Xl,Y 2 ,Z 2 } neN , such that each {X l n , Y r \, Z l n } neN ranges over (R L X {0,1}*) n ({0, l} n x {0,1}* x 
{0, 1}*), the following holds: If {X^, Z^} nG N and {X 2 , Z 2 } n eN are computationally indistinguishable, 
then so are {{P{Y^),V*(Z l n ))(X l n )} n&N and {(P(Y 2 ),V*(Z 2 ))(X 2 )} n&N . 

WI vs. SWI: It is clarified in [35j that the notion of SWI actually refers to issues that are 
fundamentally different from WI. Specifically, the issue is whether the interaction with the prover 
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helps V* to distinguish some auxiliary information (which is indistinguishable without such an inter- 
action). Significantly different from WI, SWI does not preserve under concurrent composition. More 
details about SWI are referred to [35] • But, an interesting observation is: the protocol composing 
commitments and SWI can be itself regular WI. 

Commit-then-SWI: Consider the following protocol composing a statistically-binding commit- 
ment and SWI: 

Common input: x £ L for an J\fP -language L with corresponding A/'P-relation R^. 

Prover auxiliary input: w such that (x,w) £ R^. 

The protocol: consisting of two stages: 

Stage-1: The prover P computes and sends c w = C(w,r w ), where C is a statistically-binding 
commitment and r w is the randomness used for commitment. 

Stage-2: Define a new language V = {(x, c w )\3(w,r w ) s.t. c w = C(w,r w ) A Rl(%, w) = 1}. 
Then, P proves to V that it knows a witness to (x, c w ) £ L' , by running a SWI protocol. 

One interesting observation for the above commit-then-SWI protocol is that commit-then-SWI 
is itself a regular WI for L. 

Proposition 2.1 Commit-then-SWI is itself a regular WI for the language L. 

Proof (of Proposition 12 . X [) . For any PPT malicious verifier V*, possessing some auxiliary 
input z £ {0,1}*, and for any x £ L and two (possibly different) witnesses (wo,wx) such that 
(x,W(,) £ Rl for both b £ {0,1}, consider the executions of commit-then-SWI: (P(wq),V*(z))(x) 
and (P( Wl ),V*(z))(x). 

Note that for (P(w b ), V*(z))(x), b £ {0, 1}, the input to SWI of Stage-2 is (x,c Wb = C(w b ,r Wb )), 
and the auxiliary input to V* at the beginning of Stage-2 is (x,c Wb ,z). Note that (x,c m ,z) is 
indistinguishable from (x,c wi ,z). Then, the regular WI property of the whole composed protocol is 
followed from the SWI property of Stage-2. □ 

Definition 2.7 (system for argument/proof of knowledge [34, 6j) Let R be a binary relation 
and k : N — > [0,1]. We say that a probabilistic polynomial-time (PPT) interactive machine V is a 
knowledge verifier for the relation R with knowledge error k if the following two conditions hold: 

• Non-triviality: There exists an interactive machine P such that for every (x,w) £ R all possible 
interactions of V with P on common input x and auxiliary input w are accepting. 

• Validity (with error k): There exists a polynomial q(-) and a probabilistic oracle machine K 
such that for every interactive machine P* , every x £ Lr, and every w,r £ {0, 1}*, machine 
K satisfies the following condition: 

Denote by p(x, w, r) the probability that the interactive machine V accepts, on input x, when 
interacting with the prover specified by P* w r ( where P£ wr denotes the strategy of P* on com- 
mon input x, auxiliary input w and random-tape r). If p(x,w,r) > k(\x\), then, on input x 
and with oracle access to P£ w r , machine K outputs a solution w' £ R(x) within an expected 
number of steps bounded by 

g(M) 

p(x, w, r) — k{\x\) 
The oracle machine K is called a knowledge extractor. 

An interactive argument /proof system (P, V) such that V is a knowledge verifier for a relation R and 
P is a machine satisfying the non-triviality condition (with respect to V and R) is called a system 
for argument/proof of knowledge (AOK/POK) for the relation R. 
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The above definition of POK is with respect to deterministic prover strategy. POK also can be 
defined with respect to probabilistic prover strategy. It is recently shown that the two definitions are 
equivalent for all natural cases (e.g., POK for W'P-relations) [UJ. 

We mention that Blum's protocol for directed Hamiltonian Cycle DHC [9 J is just a 3-round 
public-coin WIPOK for J\fV, which is recalled below. 

Blum's protocol for DHC [9] . The n-parallel repetitions of Blum's basic protocol for proving 
the knowledge of Hamiltonian cycle on a given directed graph G [9] is just a 3-round public-coin 
WIPOK for MV (with knowledge error 2~ n ) under any one-way permutation (as the first round of 
it involves one-round perfectly-binding commitments of a random permutation of G). But it can be 
easily modified into a 4-round public-coin WIPOK for AfV under any OWF by employing Naor's 
two-round (public-coin) perfectly-binding commitment scheme [60]. The following is the description 
of Blum's basic protocol for DHC: 

Common input. A directed graph G = (V,E) with q = \V\ nodes. 
Prover's private input. A directed Hamiltonian cycle Cq in G. 

Round- 1. The prover selects a random permutation, tt, of the vertices V, and commits (using a 
perfectly-binding commitment scheme) the entries of the adjacency matrix of the resulting 
permutated graph. That is, it sends a q-by-q matrix of commitments so that the 
entry is a commitment to 1 if £ E, and is a commitment to otherwise. 

Round-2. The verifier uniformly selects a bit b € {0, 1} and sends it to the prover. 

Round- 3. If b = then the prover sends tt to the verifier along with the revealing of all commitments 
(and the verifier checks that the revealed graph is indeed isomorphic to G via tt); If b = 1, the 
prover reveals to the verifier only the commitments to entries 7r(j)) with (i,j) € Cq (and 
the verifier checks that all revealed values are 1 and the corresponding entries form a simple 
(/-cycle). 

We remark that the WI property of Blum's protocol for DHC relies on the hiding property of 
the underlying perfectly-binding commitment scheme used in its first-round. 

Statistical WI argument /proof of knowledge (WIA/POK). We employ, in a critical way, 
constant-round statistical WIA/POK in this work. We briefly note two simple ways for achieving 
statistical WIA/POK systems. Firstly, for any statistical/perfect S-protocol (defined below), the 
OR-proof (i.e., the E^R-protocol) is statistical/perfect WI proof of knowledge. The second approach 
is to modify the (parallel repetition of) Blum's protocol for DHC [9j (that is computational WIPOK) 
into constant-round statistical WIAOK by replacing the statistically-binding commitments used in 
the first-round of Blum's protocol by constant-round statistically-hiding commitments. One-round 
statistically- hiding commitments can be based on any collision-resistant hash function [191 [4"8] . Two- 
round statistically-hiding commitments can be based on any claw-free collection with an efficiently 
recognizable index set [381 BS El] (statistically-hiding commitments can also be based on general 
assumptions, in particular any OWF, with non-constant rounds [6T1 Wl\ [56]). 

2.1 E and Yi r Protocols 

S-protocols are very useful cryptographic tools that are 3-round public-coin protocols satisfying a 
special honest-verifier zero-knowledge (SHVZK) property and a special soundness property in the 
sense of knowledge extraction. 

Definition 2.8 (S-protocol [14]) A 3-round public-coin protocol (P,V) is said to be a T,-protocol 
for an NT -language with relation Rl if the following hold: 

• Completeness. If P, V follow the protocol, the verifier always accepts. 



• Special soundness. From any common input x of length poly(n) and any pair of accepting 
conversations on input x, (a,e,z) and (a,e',z') where e ^ e' , one can efficiently compute w 
such that (x,w) G R^. Here a, e, z stand for the first, the second and the third message 
respectively and e is assumed to be a string of length k (such that l k is polynomially related to 
the security parameter l n ) selected uniformly at random in {0, l} fc . 

• Special honest verifier zero-knowledge (SHVZK). There exists a probabilistic polynomial-time 
(PPT) simulator S, which on input x (where there exists a w such that (x,w) G Rl) and a 
random challenge string e, outputs an accepting conversation of the form (a, e, z), with the prob- 
ability distribution that is indistinguishable from that of the real conversation (a, e, z) between 
the honest P{w) and V on input x. 

A X-protocol is called perfect/ statistical E-protocol, if it is perfect/statistical SHVZK. A E- 
protocol is called partial witness-independent, if the generation of its first-round message is indepen- 
dent of (i.e., without using) the witness for the common input. A very large number of ^-protocols 
have been developed in the literature. In particular, (the n-parallel repetition of) Blum's protocol for 
DHC [9] is a (partial witness-independent) computational E-protocol for AfV; That is, the n-parallel 
repetition of Blum's protocol for DHC [9] is also a three-round (partial witness-independent) WI for 
MV . Most practical E-protocols for number-theoretical languages (e.g., DLP and RSA |68} I44j. etc) 
are (partial witness-independent) perfect E-protocols. For a good survey of E-protocols and their 
applications, the reader is referred to |18] . 

E-Protocol for DLP [68] . The following is a E-protocol (P, V) proposed by Schnorr [68] for 
proving the knowledge of discrete logarithm, w, for a common input of the form (p, q,g, h) such that 
h = g' w mod p, where on a security parameter n, p is a uniformly selected n-bit prime such that 
q = (p — l)/2 is also a prime, g is an element in Z* of order q. It is also actually the first efficient 
E-protocol proposed in the literature. 

• P chooses r at random in Z q and sends a = g r mod ptoV. 

• V chooses a challenge e at random in Z 2 k and sends it to P. Here, k is fixed such that 2 k < q. 

• P sends z = r + ew mod q to V, who checks that g z = ah e mod p, that p, q are prime and that 
g, h have order q, and accepts iff this is the case. 

The OR-proof of E-protocols [15J. One basic construction with E-protocols is the OR of 
a real protocol conversation and a simulated one, called T,or, that allows a prover to show that 
given two inputs xo, x\ (for possibly different A/'P-relations Rq and R± respectively), it knows a w 
such that either (xq, w) £ Rq or {x\,w) £ R±, but without revealing which is the case (i.e., witness 
indistinguishable WI) [15]. Specifically, given two E-protocols (P&, V&) for i4, b G {0, 1}, with random 
challenges of, without loss of generality, the same length k, consider the following protocol (P,V), 
which we call So_r- The common input of (P, V) is (xq,x\) and P has a private input w such that 
(x b ,w) G R b . 

• P computes the first message a& in (Pj,, using x b , w as private inputs. P chooses ei_h at ran- 
dom, runs the SHVZK simulator of (Pi-b, Vi-b) on input (xi_h, e%-b)i and lets (ai-&, e-i-b, %1-b) 
be the output. P finally sends uq, a% to V. 

• V chooses a random fe-bit string s and sends it to P. 

• P sets e b = s © ei_6 and computes the answer z b to challenge e b using (xb,ab,e b ,w) as input. 
He sends (eo, Zq, ei, z\) to V. 

• V checks that s = eo &\ and that conversations (ao,eo,£ D )> (ai,ei,zi) are accepting conver- 
sations with respect to inputs xq, x\, respectively. 
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Theorem 2.1 [15] The protocol £ or above is a'E-protocol for Ron, where Ron = {((xq,xi),w)\(xq,w) G 
Rq or (xi,w) G -Ri}- Moreover, YiOR-protocols are witness indistinguishable (WI) argument/proof 
of knowledge systems. 

The SHVZK simulator of T<or [15J . For a So_R-protocol of the above form, denote by 
Sor the perfect SHVZK simulator of it and denote by S& the perfect SHVZK simulator of the 
protocol (Pb, Vb) for b G {0, 1}. Then on common input (xq, £i) and a random string e of length k, 
SoR((xo,xi),e) works as follows: It firstly chooses a random fc-bit string eo, computes e,\ = e © eo, 
then Sor runs Sb(xb,eb) to get a simulated transcript (a&, e&, £;,) for 6 G {0, 1}, finally Sor outputs 
((6 ,di),e, (e ,%ei,zi)). 

3 The BPK Model with Adaptive Language Selection 

We present the definitions of concurrent soundness and concurrent zero-knowledge in the BPK model 
(cf. [111 159 , 24, 63J). The key augmentation with the current formulation, in comparison with previous 
definition of the BPK model, is to allow adaptive language selection based on public-keys. 

3.1 Honest players in the BPK model 

We say a class of languages £. is admissible to a protocol (P, V) if the protocol can work (or, be 
instantiated) for any language L G C. Typically, C could be the set of all ./VP-languages (via NV- 
reduction in case {P, V) can work for an ATP-complete language) or the set of any languages admitting 
E-protocols (in this case {P, V) could be instantiated for any language in C efficiently without going 
through general MV-i eductions). Let Rrey be an AA'P-relation validating the public-key and secret- 
key pair (PK,SK) generated by honest verifiers, i.e., Rkey(PK, SK) = 1 indicates that SK is a 
valid secret-key of PK. Then, a protocol (P, V) in the BPK model, w.r.t. some admissible language 
set C and some key- validating relation Rkey, consists of the following: 

• F, a public-key file that is a polynomial-size collection of records (id, PKid), where id is a string 
identifying a verifier and PK^ is its (alleged) public-key. When verifier's IDs are implicitly 
specified from the context, for presentation simplicity we also just take F as a collection of 
public-keys in protocol specification and security analysis. 

• M, a PPT language-selecting machine that on inputs (l n ,F) outputs the description of an 
./VP-relation Rl for an ./VP-language L G C. The output of M. (i.e., the description of Rl) 
is then given to both the prover P and (proof-stage of) the verifier V. We require that given 
the description of Rl, the admissibility of L (i.e., the membership of L G C) can be efficiently 
decided. 

• P(l n , Rl, x , w, F, id, 7), an honest prover that is a polynomial-time interactive machine, where 
l n is a security parameter, x is a po/y(n)-bit string in L, w is an auxiliary input, F is a 
public-file, id is a verifier identity, and 7 is its random-tape. 

• V , an honest verifier that is a polynomial-time interactive machine working in two stages. 

1. Key generation stage. V , on a security parameter 1" and a random-tape r, outputs a 
key pair (PK,SK) satisfying Rkey(PK, SK) = 1. V then registers PK in F as its 
public-key while keeping the corresponding secret key SK in secret. 

2. Proof stage. V, on inputs SK and Rl, x G {0, lp°^( n ) (which is supposed to be in L) and 
a random tape p, performs an interactive protocol with a prover and outputs "accept" 
indicating iGlor "reject" indicating x G" L. 
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Note: On the one hand, augmenting the BPK model with adaptive language selection compli- 
cates the formulation and may be more difficult to fulfill against adversaries with adaptive language 
selection ability; but on the other hand, this is a far more realistic model for cryptographic protocols 
running concurrently in the public-key model, where mixing the public-key structure as part of the 
language is a natural adversarial strategy. 

3.2 The malicious concurrent prover and concurrent soundness in the BPK 
model 

An s-concurrent malicious prover P* in the BPK model, for a positive polynomial s, is a probabilistic 
polynomial-time Turing machine that, on a security parameter l n and an auxiliary string z G {0, 1}*, 
performs an s-concurrent attack against V as follows in two stages: 

Let (PK, SK) be the output of the key generation stage of V on a security parameter l n and 
a random string r. Then, in the first stage, on inputs (l n ,PK, z) P* first generates (Rl,t), where 
Rl determines an admissible ./VP-language Le£ and t G {0, 1}* is some auxiliary information to 
be used in the second stage. We assume P* always selects an admissible language L in the first 
stage, otherwise the honest verifier will not start its proof stages as we assume the admissibility of 
L can be efficiently verified. Then, in the second stage (i.e., proof stage) w.r.t. Rl and PK, P* 
can perform concurrently at most s(n) interactive protocols (sessions) with (the proof stage of) V 
as follows: If P* is already running i — 1 (1 < i < s(n)) sessions, it can select on the fly a common 
input Xi G {0, l}P°^( n ) (which may be equal to Xj for 1 < j < i) and initiate a new session with 
the proof stage of V(l n , Rl, Xi, SK, pi); P* can output a message for any running protocol, and 
always receive promptly the response from V (that is, P* controls at its wish the schedule of the 
messages being exchanged in all the concurrent sessions). We stress that in different sessions V uses 
independent random-tapes in its proof stage (that is, p\,- ■■ ,p s i n ) are independent random strings). 
We denote by viewp*(l n , z) the random variable describing the view of P* in this experiment, which 
includes its random tape, the auxiliary string z, all messages it receives including the public-key 
PK and all messages sent by V(l n , Rl, Xi, SK, pi)'s in the s(n) proof-stages, 1 < i < s(n). For any 
(PK, SK) G Rkey-, we denote by view\\[ SK \l n , z, PK) the random variable describing the view of 
P* specific to PK, which includes its random tape, the auxiliary string z, the (specific) PK, and all 
messages it receives from V(l n , Rl, x^, SK, pi)'s in the s(n) proof-stages, 1 < i < s(n). 

We then say a protocol {P,V) is concurrently sound in the BPK model w.r.t. some admissible 
language set C, if for any sufficiently large n, for any honest verifier V and all (except for a negligible 
fraction of) (PK, SK) outputted by the key-generation stage of V, for all positive polynomials s and 
all s-concurrent malicious prover P* and any string z G {0, 1}*, for any admissible language L G C 
and any string x L (of length of poly(n)), the probability that V outputs "accept x G V in the 
s-concurrent attack against V(l n , Rl, SK) (i.e., in one of the s(n) sessions) is negligible in n, where 
the probability is taken over the randomness of P* , the randomness of V for key-generations and for 
all the s(n) proof-stages. 

Notes: The above concurrent soundness is defined w.r.t multiple proof-stages (sessions) with the 
same public-key. In this case, we can imagine that the auxiliary information z encodes information 
collected from protocol executions w.r.t. other public-keys that are generated independently of the 
public-key PK at hand. Note that, as discussed in [59], extension to the general case, where P* 
interacts with instances of multiple verifiers with multiple (independently generated) public- keys, is 
direct. Also note that all proof-stages of V (i.e., all the s(n) sessions) are w.r.t. the same admissible 
language L. Such treatment is only for presentation simplicity. Both the security model and security 
proof of this work can be easily extended to the general case, where P* can select admissible language 
Li for each session i, 1 < i < s(n) (in this case, whenever P* starts a new session it sends (xi,RLi) 
to V indicating that the new session is on common input X{ and for admissible language Li). 
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3.3 The malicious concurrent verifier and concurrent ZK in the BPK model 



An s-concurrent malicious verifier V*, where s is a positive polynomial, is a PPT Turing machine 
that, on input l n and an auxiliary string z, works in two stages: 

Stage- 1 (key- generation stage). On (l n , z) V* outputs a relation Rl determining an admissible 
language L € C, an arbitrary public- file F and a list of (without loss of generality) s(n) 
identities id\, ■ ■ ■ , id s ( n y Then, V* is given a list of s(n) strings x = {xi, ■ ■ ■ , x s ( n )} € L s( - n ^ of 
length poly(n) each, where Xi might be equal to Xj, 1 < i,j < s(n). 

Stage-2 (proof stage). Starting from the final configuration of Stage-1, V* concurrently interacts 
with s(n) 2 instances of the honest prover P: P(l n , F, Rl, Xi^ w^idj^u^), where 1 < i,j < 
s(n), (xi,Wi) £ Rl and JuWs are independent random strings. In this stage, V* controls at its 
wish the schedule of the messages being exchanged in all the concurrent sessions. In particular, 
V* can output a message for any running session dynamically based on the transcript up to 
now, and always receive promptly the response from P. For any auxiliary string z € {0,1}*, 
each public-key file F and Rl outputted by V* in Stage-1 and any x = {x\, • • • , av n )} £ L s ( n \ 

we denote by view^ff tL,Xl,Wl ' idi '^^ S ^(l n ,x) the random variable describing the view of V* 
in its second stage of this experiment, which includes (z, F, Rl,x), the randomness of V* in its 
second stage and all messages received from all the s(n) 2 prover instances. 

Definition 3.1 (concurrent zero-knowledge in the BPK model) A protocol (P,V) is (black- 
box) concurrent zero-knowledge in the BPK model w.r.t. some admissible language set C, if there 
exists a PPT black-box simulator S such that for any sufficiently large n and every s-concurrent 
malicious verifier V* the following two distribution ensembles are indistinguishable: 

s . {P(l n ,F,R L ,x i ,w) l ,id j ,7 {l . j) )'s} , n 

\ mew V*(z) V 1 i x JJx£L a ( n \L£C,F£{0,l}*,z£{0,l}* 

{S(l n , F, Rl, x, z)} sgiS (n) ji6 £ jFg {o,i}*,2e{o,i}* 

Notes: For presentation simplicity, the CZK property in the BPK model with adaptive language 
selection is formulated with respect to that all s(n) 2 sessions (i.e., proof-stages) are for the same MV- 
relation Rl and that x G L s ^ are predefined (i.e., not selected adaptively by V*). Both the security 
model and security proof of this work can be easily extended to the general cases, where V* can 
select admissible language for each of the s(n) 2 sessions and can select the common inputs Xj's 
adaptively. We remark that for adaptive input selection, it is the responsibility of V* to provide the 
corresponding A/'P-witnesses Wi's to the honest prover instances. 



4 Motivation for Concurrent Knowledge-Extraction in the Public- 
Key Model 

We show a concurrent interleaving and malleating attack on the concurrent ZK protocol of [21] 
that is both concurrently sound and normal argument of knowledge in the BPK model, in which by 
concurrently interacting with the honest verifier in two sessions a malicious P* can (with probability 
1) malleate the verifier's interactions in one session into successful interactions in another session 
on a true (public-key related) statement but without knowing any witness to the statement being 
proved. This shows that concurrent soundness and normal arguments of knowledge do not guarantee 
concurrent verifier security in the public- key model. Actually, we show that, assuming any OWF, 
CKE is strictly stronger than concurrent soundness in the public-key model. This serves a good 
motivation for understanding "possession of knowledge on the Internet with registered public-keys" , 
i.e., the subtleties of concurrent knowledge-extraction in the public- key model. 
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4.1 The Protocol Structure of [24] 

Key-generation. Let fy be a OWF that admits E-protocols. On a security parameter n, each 
verifier V randomly selects two elements in the domain of fy, x v and x v of length n each, 
computes y v = fy(x v ) and y v = fv(x v ). V publishes (y v ,y v ) as its public-key while keeping 
Xy as its secret-key for a randomly chosen b from {0, 1}. (For OWF-based implementation, V 
also publishes a random string ry of length 3n that serves the first-round message of Naor's 
OWF-based perfectly-binding commitment scheme [60] .) 

Common input. An element x G L of length poly(n), where L is an A/'T'-language that admits 
S-protocols. 

The main-body of the protocol. The main-body of the protocol consists of the following three 
phases: 

Phase- 1. The verifier V proves to P that it knows the preimage of either y v or yh, by 
executing the Eo_R-protocol on (y v , y v ) in which V plays the role of the knowledge prover. 
It is additionally required that the first-round message of the Eo.R-protocol is generated 
without using the preimage of either y v or y v (i.e., partial witness-independent). Denote 
by ay, ey, zy, the first-round, the second-round and the third-round message of the £or- 
protocol of this phase respectively. Here ey is the random challenge sent by the prover to 
the verifier. (For OWF-based implementation, P sends a random string rp of length 3n 
on the top, which serves the first-round message of Naor's OWF-based perfectly-binding 
commitments and is used by V in generating ay.) 

If V successfully finishes the So_R-protocol of this phase and P accepts, then goto Phase-2. 
Otherwise, P aborts. 

Phase-2. Let TC be a trapdoor bit commitment scheme with the preimage of either y v 
or y v as the trapdoor. The prover randomly selects a string e £ {0, l} n , and sends 
eg = {TCCom(ei),TCCom(e2), ■ ■ • ,TCCom(e n )} to the verifier V, where lj is the i-th 
bit of e. 

Phase-3. Phase-3 runs essentially the underlying S-protocol for L but with the random chal- 
lenge set by a coin-tossing mechanism. Specifically, the prover computes and sends the 
first-round message of the underlying S-protocol, denoted ap, to the verifier V (for OWF- 
based implementation, ap is computed also using ry published by V in the key-generation 
phase); Then V responds with a random challenge q; Finally, P reveals e (committed in 
Phase-2), sets ep = e q, and computes the third-round message of the underlying S- 
protocol for L, denoted Zp, with ep as the real random challenge. 

Verifier's decision. V accepts if and only if e is decommitted correctly and ep = e © q and 

(ap,ep, zp) is an accepting conversation for x € L. 

Remark: The above protocol structure is essentially that of the incomplete CZK protocol of 
[76] (Figure-3, page 17), and can be implemented based on any OWF. The key difference in the 
actual implementations of [76} [M] is that |24| uses a special trapdoor commitment scheme in Phase- 
2, where the decommitment formation to or 1 is in turn committed in two statistically-binding 
commitments. This technique is critical for achieving concurrent soundness, the reader is referred 
to [23] for more details. We remark that the differences in actual implementations do not invalidate 
the attack presented below in Section \4. 21 which is presented with respect to a more general protocol 
structure. 

4.2 The concurrent interleaving and malleating attack 

With respect to the above protocol structure of the protocols of [211 [76], let L be any A/'P-language ad- 
mitting a S-protocol that is denoted by (in particular, L can be an empty set). Then for an honest 
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verifier V with its public-key PK = (y v , y v ), we define a new language L = {(x, y v , y v )\3w s.t. (x, w) £ 

OR y v = fv(w) for b G {0, 1}}. Note that for any string x (whether x £ L or not), the state- 
ment u (x,y v ,y v ) G L" is always true as PK = (y v ,y v ) is honestly generated. Also note that L is 
a language that admits S-protocols (as SoJ?-P r otocol is itself a E-protocol). Now, we describe the 
concurrent interleaving and malleating attack, in which P* successfully convinces the honest verifier 
of the statement "(x,y v ,y v ) G L" for any arbitrary poly(n)-h\t string x {even when x £" L) by 
concurrently interacting with V in two sessions as follows. 

1. P* initiates the first session with V. (For OWF-based implementation, P just sends rp = ry as 
its first message to V, where ry is the random string registered by V as a part of its public- key 
for OWF-based implementation.) After receiving the first-round message, denoted by a' v , of 
the SoR-protocol of Phase- 1 of the first session on common input (y v , y v ) (i.e., V's public-key), 
P* suspends the first session. 

2. P* initiates a second session with V, and works just as the honest prover does in Phase- 1 and 
Phase-2 of the second session. We denote by eg the Phase-2 message of the second session (i.e., 
q commits to a random string e of length n). When P* moves into Phase-3 of the second 
session and needs to send V the first-round message, denoted by ap, of the S-protocol of 
Phase-3 of the second session on common input (x,y v ,y v ), P* does the following: 

• P* first runs the SHVZK simulator of (i.e., the S-protocol for L) on x to get a simulated 
conversation, denoted by (a£,e$,z$), for the (possibly false) statement "x G L" . 

• P* sets ap = (a£,a' v ) and sends ap to V as the first-round message of the S-protocol of 
Phase-3 of the second session, where a' v is the one received by P* in the first session. 

• After receiving the second-round message of Phase-3 of the second session, denoted by q 
(i.e., the random challenge from V), P* sets ep = e © q and then suspends the second 
session. 

3. P* continues the first session, and sends e' v = e$g®ej = ep®e± as the second-round message 
of the Xoij-protocol of Phase-1 of the first session. 

4. After receiving the third-round message of the SoR-protocol of Phase-1 of the first session, 
denoted by z' v , P* suspends the first session again. 

5. P* continues the execution of the second session again, reveals e committed in Phase-2 of the 
second session, and sends to V zp = ((e^Zf), (e v ,z' v )) and the decommitment information of 
e as the last-round message of the second session. 

Note that (af,ef,Zf) is an accepting conversation for the (possibly false) statement u x G L", 
(a'y, e'y, z'y) \s an accepting conversation for showing the knowledge of the preimage of either y v 
or y v , and furthermore e$ © e'y = ep = e © q. According to the description of Xor (presented in 
Section [2]), this means that, from the viewpoint of V, (ap,ep, zp) is an accepting conversation of 
Phase-3 of the second-session on common input (x,y v ,y v ). That is, P* successfully convinced V 
of the statement "(x, (y v , Uy)) G L" (even for x L) in the second session but without knowing 
any corresponding AfV -witness] This demonstrates that the protocol of [24J fails to be a proof of 
knowledge (fails knowledge extraction) in concurrent executions (note that it was not designed as 
such, since this new issue is the notion we put forth here). We remark that mixing the public key 
structure as part of the language is a natural attack strategy for the public-key model (a different 
demonstration of this was given in |75]). 



5 Formulating Concurrent Knowledge-Extraction in the Public- 
Key Model 



Now, we proceed to formulate concurrent verifier security in light of the above concrete attack against 
the protocol of |76l 124] . Note that the concrete attack is of man-in-the-middle (MIM) nature, and 
is related to malleability of protocols. The security notion assuring that a malicious prover P* does 
"know" what it claims to know, when it is concurrently interacting with the honest verifier V, can 
informally be formulated as: for any x, if P* can convince V (with public- key PK) of "x G L" (for 
an ./VP-language L) by concurrent interactions, then there exists a PPT knowledge-extractor that 
outputs a witness for x £ L. This is a natural extension of the normal arguments of knowledge 
into the concurrent settings in the public-key model. However, such a definition does not work 
in the public-key model. The reason is: the statements being proved may be related to PK, and 
thus the extracted witness may be related to its corresponding secret-key SK (actually, for the 
malicious prover strategy of the concrete attack on the protocol of [761 [24], the extracted witness 
will just be the same secret-key used by the knowledge-extractor); But, in knowledge-extraction the 
PPT extractor may have already possessed SK. To solve this subtlety, we require the extracted 
witness, together with adversary's view, to be independent of SK. But, the problem here is how 
to formalize such independence, in particular, w.r.t. a concurrent MIM? We solve this in the spirit 
of non-malleability formulation [26]. That is, we consider the message space (distribution) of SK, 
and such independence is roughly formulated as follows: let SK be the secret-key and SK' is an 
element randomly and independently distributed over the space of SK, then we require that, for any 
polynomial-time computable relation R, the probability Pt[R(w, SK, view) = 1] is negligibly close 
to Pi[R(w, SK' , view) = 1], where w is the set of witnesses extracted by the knowledge extractor for 
successful concurrent sessions and view is the view of the adversary P*. This captures the intuition 
that P* does, in fact, "know" the witnesses to the statements whose validations are successfully 
conveyed by concurrent interactions. 

Definition 5.1 (concurrent knowledge-extraction (CKE) in the public-key model) We say 

that a protocol (P, V) is concurrently knowledge-extractable in the BPK model w.r.t. some admissi- 
ble language set C and some key-validating relation Rkey, if for any positive polynomial s(-), any 
s-concurrent malicious prover P* defined in Section^ there exist a pair of (expected) polynomial- 
time algorithms S (the simulator) and E (the extractor) such that for any sufficiently large n, any 
auxiliary input z G {0, 1}* ; and any polynomial-time computable relation R (with components drawn 
from {0,1}* U {_!_},), the following hold, in accordance with the experiment Expt CKE (l n , z) described 
below (page[T7\): 

• Simulatability. The following ensembles are identical (or indistinguishable) : 

{Si(l n , PK, SK, z)}(PK,SK)£R KEY ,z&{o,iy and {view V p i SK) {l n , z, PK)}( PKtSK)eRKEYjZe{0il} * (de- 
fined in Section^). This in particular implies that str includes (PK,z), and the probability 
ensembles {5i(l n , z)}^ g { ,i}* an d {P*(l n , -2)} 2 e{o,i}* (defined in Section^) are actually iden- 
tical (or indistinguishable). 

• Secret-key independent knowledge-extraction. E, on inputs (l n ,str,sta), outputs wit- 
nesses to all statements successfully proved in accepting sessions in str. Specifically, E outputs 
a list of strings w = {w\,W2, ■ ■ ■ , w s ^), satisfying the following: 

— Wi is set to be _L, if the i-th session in str is not accepting (due to abortion or verifier 
verification failure), where 1 < i < s(n). 

— Correct knowledge-extraction for (individual) statements: In any other cases (i.e., for suc- 
cessful sessions), with overwhelming probability (xi,Wi) G Rl, where x% is the common 
input selected by P* for the i-th session in str and Rl is the admissible MV -relation for 
L G C set by P* in str. 



Expt CKE (P\z) 

The simulator S — (Skey, Sproof)'- 

(PK,SK,SK') < — S KE Y{l n ), where the distribution of (PK,SK) is identical with that of the 
output of the key-generation stage of the honest verifier V, Rkey(PK, SK) = Rkey(PK, SK') = 1 
and the distributions of SK and SK are identical and independent. In other words, SK and SK' 
are two random and independent secret-keys corresponding to PK . 

(str, sta) < — Spro6f PK ' z \l n , PK, SK, z). That is, on inputs (1™, PK, SK, z) and with oracle 
access to P*(V l ,PK,z), the simulator S outputs a simulated transcript str, and some state 
information sta to be transformed to the knowledge-extractor E. 

We denote by Si(l™, z) the random variable str (in accordance with above processes of Skey and 
Sproof)- For any (PK,SK) E R KEY and any z G {0,1}*, we denote by S x (l n , PK, SK, z) the 
random variable describing the first output of Sp^QQ F PK ' z \\ n , PK, SK, z) (i.e., str specific to 
(PK,SK)). 

The knowledge-extractor E: 

w < — E(l n , sta, str). On (sta, str), E outputs a list of witnesses to statements whose validations 
are successfully conveyed in str. 



— (Joint) knowledge extraction independence (KEI): Pr[R(SK, w, str) = 1] is negligibly close 
toPi[R(SK',w,str) = 1]. 

The probabilities are taken over the randomness of S in the key-generation stage (i.e., the 
randomness for generating (PK, SK, SK') ) and in all proof stages, the randomness of E, and 
the randomness of P* . If the KEI property holds for any (not necessarily polynomial-time 
computable) relation R, we say the protocol (P,V) satisfies statistical CKE and statistical 
KEI. 

5.1 Discussion and justification of the CKE formulation 

We first note that the above CKE formulation follows the simulation-extraction approach of [67] 
(which is also used in [3]). Here, the key augmentation, besides some other adaptations in the public- 
key model, is the property of knowledge-extraction independence (KEI) explicitly required. Though 
the CKE and KEI notions are formulated in the framework of public-key model, they are actually 
applicable to protocols in the plain model, in general, in order to capture knowledge extractability 
against concurrent adversaries interacting with honest players of secret values. 

Simulated public-keys vs. real public-keys. In our CKE formulation, the simulation- 
extraction is w.r.t. simulated public-keys. In this case, explicitly requiring the KEI property is crucial 
for correctly formulating CKE, as the simulator /extractor possesses the secret-keys corresponding 
to the simulated public-keys. A natural and intuitive strengthening of the CKE formulation might 
be: the simulator /extractor uses the same public-keys of the honest verifiers. Specifically, for any 
concurrent malicious P* there exists a PPT simulator /extractor that, on the same public-key of 
the honest verifier, outputs a simulated transcript (that is indistinguishable from the real view 
of P*) together with all witnesses to accepting sessions. In this case, as the simulator /extractor 
does not possesses the secret-key (of the honest verifier), the KEI property can be waived. But, 
the key observation here is: constant-round CKE (whether ZK or not) with real public-keys are 
impossible. Specifically, constant-round CKE with real public-keys implies constant-round CZK 
(actually, potentially concurrently non-malleable ZK proof of knowledge) in the plain model by 
viewing verifier's public-keys as a part of common inputs, which is however impossible at least in the 
black-box sense |12j . 
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On the non-triviality of KEI even with independent languages. With the above CKE 
formulation, we are actually formulating the independence of the witnesses, used ("known") by 
concurrent MIM adversary, on the secret-key (witness) used by verifier (who may in turn play the 
role of prover in some sub-protocols). A naive solution for KEI, which appears to make sense in 
certain scenarios, may be to require the language and statements being proved are independent of 
verifier's public-keys. But, this way does not work in general. Firstly note that, if the protocol is 
for A/'P-Complete, the statements being proved, selected adaptively by the adversary, can be always 
related to verifier's public-key (e.g., via ./VP-reductions) ; Moreover, for protocols in the BPK model, 
verifier's keys are used in essential ways, particularly in order to achieve round efficiency. This is the 
case, especially when the protocol in the public-key model runs concurrently over Internet (note that 
most concurrently secure cryptographic tasks cannot be implemented round-efficiently in the plain 
model). Typically, a constant-round cryptographic protocol in the BPK model consists of several 
sub-protocols, such that the common statement and verifier's public-keys are mixed into the inputs 
to some sub-protocols. In this case, even if the language (and even if the witness being used by 
the honest prover) is independent of verifier's public-keys, the inputs to the sub-protocols, selected 
and decided by the concurrent adversary based on its view of concurrent interleaving attacks, can be 
always related to (dependent on) verifier's keys (a typical illustration is the Feige-Shamir-ZK-like 
protocols in the public- key model [30J ) . The various concurrent interleaving and malleating attacks 
presented in this work (in particular, the attack against the protocol variant of the efficient CZK-CKE 
without c s k in Section [7.3.2H just demonstrate such cases. 

CKE vs. concurrent soundness. We show that, assuming any OWF, CKE is a strictly 
stronger notion for concurrent verifier security than concurrent soundness in the public-key model. 

Proposition 5.1 Assuming any OWF, CKE is strictly stronger than concurrent soundness in the 
public-key model. 

Proof, (of Proposition [5J]) It's easy to see that CKE implies concurrent soundness in the public- 
key model. Specifically, suppose that for some (PK,SK) 6 Rkey, some admissible language L and 
some string x £ L P* can convince V(Rl, SK) of the false statement u x 6 L" with non-negligible 
probability in real execution, then with almost the same probability (up to a negligible gap) P* 
can convince the simulator S(Rl, SK) of x € L in Expt CKE (l™, z) by the property of simulatability, 
which however contradicts the secret-key independent knowledge-extraction property. 

Then the proposition is direct from the attack demonstrated in Section T4.2I on the CZK protocol 
of [24j that is both concurrently sound and normal argument of knowledge and can be implemented 
based on any OWF. Specifically, for the specific strategy of P* of the concurrent interleaving and 
malleating attack, suppose x L or just L is empty, the witness extracted by any polynomial- 
time knowledge-extraction algorithm E (with SK = x v as its input) must be the preimage of 
either y v or y v . But, according to the one-wayness of jy used in the key-generation stage, with 
overwhelming probability the extracted witness will be the preimage of y v conditioned on E outputs 
a witness. (Specifically, consider the simulator /extractor emulates the key-generation of the honest 
verifier, except that the value y v ~ h is received externally as its input.) Define the relation R as: 
R(uu, SK, ■) = 1 if fv(w) = fv(SK). Then, conditioned on E outputs a witness, the extracted 
witness (i.e., the preimage of y v ) is always related to SK = x v , but can be related to a random 
and independent SK' with negligible probability. Thus, the CZK protocol of [23] is not concurrently 
knowledge-extractable in the public-key model. □ 

6 Generic CZK-CKE in the BPK Model 

In this section, we present the generic constant-round CZK-CKE arguments for AfV in the BPK 
model under standard hardness assumptions. The starting point is the basic and famous Feige-Shamir 
ZK (FSZK) structure |30j. The FSZK structure is conceptually simple, which simply composes two 
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WIPOK sub-protocols. In more details, let / be a OWF, in the first WIPOK sub-protocol with 
the verifier V serving as the knowledge-prover, V computes (yo = f(so),Ui = f( s i)) for randomly 
chosen sq and si; then V proves to the prover P the knowledge of the preimage of either jjq or y\. 
In the second WIPOK sub-protocol with P serving as the knowledge-prover, on common input x, 
P proves to V the knowledge of either a valid MV- witness w for x G L or the preimage of either y$ 
or y\. FSZK is also argument of knowledge, and can be high practically instantiated (without going 
through general ./VP-reductions) by the Tjqr technique [13] . 

Let (j/o, Hi) serve as the pub lie- key of V and Sb (for a random bit b) as the secret-key, the public- 
key version of FSZK is CZK in the BPK model. But, we shew that the public- key version of FSZK 
is not concurrently sound [75] , needless to say concurrent knowledge-extractability (indeed, FSZK 
was not designed for the public- key model). We hope to add the CKE property to FSZK in the BPK 
model (and thus get concurrent security both for the prover and for the verifier simultaneously), 
while remaining its conceptual simple structure as well as the ability of practical instantiations. 

The subtle point here is: we are actually facing (dealing with) a concurrent MIM (CMIM), who 
manages to malleate, in a malicious and unpredictable way, the public-keys and knowledge-proof 
interactions of the verifier in one session into the statements and knowledge-proof interactions in 
another concurrent session. To add CKE security to FSZK in the BPK model, some non-malleable 
(maybe inefficient) building tools seem to be intrinsically required. In this work, we show how to do 
so without employing any non-malleable building tools. 

The idea is to strengthen the first sub-protocol to be statistical WIPOK, and require the prover 
to first commit, before starting the second WI sub-protocol, the supposed witness to c w by running 
a statistically-binding commitment scheme C. This guarantees that if the witness committed to c w 
is dependent on the secret-key used by V, there are indeed some differences between the interaction 
distribution when V uses SK = s$ and that when V uses SK = si, and we can use such distribution 
differences to violate the statistical WI of the first sub-protocol. But, this solution loses CZK 
in general, as the second WI sub-protocol is run w.r.t. commitments to different values in real 
interactions and in the simulation. This problem can be got passed by using a stronger second sub- 
protocol, i.e., the strong WI (SWI) [53]. Note that the composition of commitment and SWI is itself 
regular WI, and thus CZK property is salvaged. 

The generic construction is depicted in Figure [1] page [20] (as the generic construction is for MV 
via ATP-reduction, we do not explicitly describe the language-selecting machine «M in the protocol 
specification). 

6.1 Security analysis 

Notes on the underlying hardness assumptions and round-complexity. If the OWF / used 
in key-generation admits perfect/statistical S-protocols (and thus we can use T,or in Stage-1), and 
we use Feige-Shamir ZK (FSZK) of [51] (with WI is replaced by T>or) to replace SWI of Stage-3, the 
protocol depicted in Figured] can be based on any OWF admitting perfect/statistical S-protocols, 
and be of optimal (i.e., 4-round) round-complexity by round combinations; If we use in Stage-1 the 
modified Blum's protocol for DHC with constant-round statistically/perfectly hiding commitments, 
the protocol depicted in Figure[T]can be based on any collision-resistant hash function or any claw-free 
collection with efficiently recognizable index set. 

Theorem 6.1 The protocol depicted in Figure{l\is a constant-round concurrently knowledge- extractable 
concurrent ZK (CZK-CKE) argument for MV in the BPK model. 

Proof. The completeness of the protocol (P, V) can be easily checked. 
Concurrent zero-knowledge. 

We first consider a mental simulator M that takes as input all secret-keys corresponding to all 
public-keys registered in the public-key file, in case the corresponding secret-keys exist. 
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Key Generation. Let / : {0,1}™ — > {0,1}™ be any OWF, where 1" is the system security parameter. 
Each verifier V selects random strings sq, si from {0,1}™, randomly selects a bit b <— {0,1}, computes 
Vb = f{ s b) and sets yi-b = f(s\-b). V registers PK = (yo,yi) in a public file F as its public-key, and 

keeps SK = s b as its secret-key. Define R K ey = \ ((vo , Vi) , s)\y = f(s) V yi = f(s)} 

Common input. An element x G L fl {0, 1}p°^(™) ; where L is an A/'T-'-Complete language with the 
corresponding A/""P-relation Rl . 

P private input. An A/'T-'-witness w g {0, l}P°^( n ) for x £ L. Here, we assume w.l.o.g. that the witness 
for any x £ L n {0, 1}p°^(") is of the same length poly(n). 

Stage-1. V proves to P that it knows a preimage to one of yo,yi, by running a statistical WIA/POK 
protocol for ATV, in which V plays the role of knowledge prover. The witness used by V in this stage 
is 

Stage-2. If V successfully finishes Stage-1, P does the following: it computes and sends c w = C(w,r w ), 
where C is a statistically-binding commitment scheme and r w is the randomness used for commit- 
ments. 

Stage-3. Define a new AA'P-language U — {(x,y ,yi, c w )\(3(w,r w ) s.t. c w = C(w,r w ) A ((x,w) 6 Rl) V 
yo = f{w) V yx = f(w))}. Then, P proves to V that it knows a witness for (x,yo,y\,c w ) £ L' , by 
running a strong WI argument/proof of knowledge (WIA/POK) protocol for MV . 

Figure 1: The generic CZK-CKE argument (P, V) for MV in the BPK model 

For any s(n)-concurrent malicious verifier V* (defined in Section [3|) and any ATP-language L, M 
runs V* as a subroutine on inputs x = {x\, ■ ■ ■ ,x s (n)} e L s ^ n "> (where might equal Xj, 1 < i,j < 
s(n) and i ^ j), the public file F = {PKi, ■ ■ ■ ,PK s ^ n -j} and all assumed existing secret-keys. M 
works just as the honest prover does in Stage-1 of any session. In Stage-2 of any session on a common 
input Xi and with respect to a public-key PKj (i.e., the i-th session w.r.t PKj, 1 < i,j < s(n)), 
M computes c$ = C(SKj,Vw ), where SKj is the secret-key corresponding to PKj for which we 
assume it exists and M knows. Then, on input (xj, PKj, c$) M runs the strong WI argumnet/proof 
of knowledge for ftfV in Stage-3 of the session with (SKj,r$) as its witness. 

Then, by a simple hybrid argument, the indistinguishability between the output of M and the 
view of V* in real concurrent interactions is direct from the regular WI of commit-then-SWI. Note 
that, as mentioned in Section [21 regular WI preserves under concurrent composition in this case. 

Finally, to build a PPT simulator S from scratch, where S does not know any secret-keys corre- 
sponding to public-keys in the public file, we resort to the technique developed in [TT] . Specifically, 
S works in s(n) + 1 phases. In each phase, S either successfully finishes the simulation, or "covers" 
a new public-key for which it has not known the corresponding secret-key up to now in case V* 
successfully finishes the Stage-1 interactions w.r.t. that public-key. Key coverage is guaranteed by 
the POK property of Stage-1 interactions. For more details, see [TT| 155]. 

(Statistical) concurrent knowledge-extraction. 

According to the CKE formulation, for any s-concurrent malicious prover P* (defined in Section 
[2]) we need to build two algorithms (S,E). The simulator S, on inputs (l n ,z), works as follows: It 
first perfectly emulates the key-generation stage of the honest verifier, getting PK = (yo,yi) and 
SK = Sb and SK' = sx_& for a random bit b. Then, S runs P* on (l n , PK, z) to get (Rl,t), 
where Rl indicates an ATP-language for which the proof-stages will work and r is some auxiliary 
information to be used by P* in proof-stages. In the proof stages, S perfectly emulates the honest 
verifier with the secret-key SK. Finally, whenever P* stops, S outputs the simulated transcript str, 
together with the state information sta set to be (PK, SK, SK' , z) and the random coins used by S. 
Note that the simulated transcript str is identical to the view of P* in real execution. 

The knowledge-extraction process is similar to that of [67]. Note that we need to extract witnesses 
to all accepting sessions in str. Given (str, sta), the knowledge-extractor E iteratively extracts 
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witness for each accepting session. Specifically, for any i, 1 < i < s(n), we denote by Ei the 
experiment for the knowledge-extractor on the i-th session. Ei emulates S with the fixed random 
coins included in sta, with the exception that the random coins to be used by the simulator (emulating 
the honest verifier) for Stage-3 (i.e., SWIA/POK) of the i-th session are no longer emulated internally, 
but received externally. The experiment Ei amounts to the execution of the SWIA/POK between a 
stand-alone (deterministic) prover and an honest verifier on common input (xj , PK, ) , where c$ 
is the Stage-2 message sent by P* in the i-th. session. Suppose the i-th. session w.r.t. common input 
Xi is accepting (note that otherwise we do not need to extract a witness and the witness is set to 
be "-L"), by applying the stand-alone knowledge-extractor (for SWIA/POK) on Ei, we can extract 
(wi,ri) in expected polynomial-time. 

Here, A subtle point needs to be further clarified. Denote by p the probability that Ei successfully 
finishes the SWIA/POK on input (xi,c$), by applying the (stand-alone) knowledge-extractor on 
Ei, we get that the expected running-time is: T(n) = p ■ p l^ n ^ , where p l^ n ^ is the running-time 
of the knowledge-extractor and k(-) is the knowledge error function (see Definition I2.7p . But, when 
p is negligible, as clarified in [53], T(n) is not necessarily to be polynomial in n. The technique to 
deal with this issue is to apply the technique originally introduced in [36J (which is also deliberated 
in [53]). More details about the technique of dealing with this subtlety are referred to \36\ I53j. 

(i) 

Now, we consider the value committed to Cw that is also efficiently extracted. There are three 
possibilities: 

Case-1. c«j = C{wi,ri) and yi-b = f(wi). Recall that PK = (yo,yi) and SK = S},. 
Case-2. c$ = C{wi,n) and y b = f(wi). 
Case-3. o$ = C(wi,r,i) and (xi,Wi) € Rl- 

Case-1 can occur only with negligible probability, due to the one-wayness of /. Specifically, 
consider that yi-b is given to the simulator as input, rather than being emulated internally. 

Case-2 can occur also with negligible probability, due to the statistical WI of Stage- 1. Suppose 
Case-2 occurs with non-negligible probability (and we know Case-1 occurs with negligible probabil- 
ity), we can simply open c^'s by brute-force to violate the statistical WI of Stage-1. 

By removing Case-1 and Case-2, we conclude now that for any i, 1 < i < s(n), if the i-th session 
in str is accepting w.r.t. common input Xi selected by P* , then E will output a witness Wi for 
Xi £ L. To finish the proof, we need to further show that knowledge-extraction is independent of 
the secret-key used by the simulator /extractor (i.e., the joint KEI property). Specifically, we need 
to show that Pr[R(SK, w, str) = 1] is negligibly close to Pr[R(SK' , w, str) = 1] for any polynomial- 
time computable relation R, where id is the list of extracted witnesses (when the simulator/extractor 
uses SK as the witness in Stage-1 interactions in str) and SK' is the element (outputted by S 
in accordance with Expt CKE (l n , z)) randomly and independently distributed over the space of SK. 
The joint KEI property is direct from the statistical WI of Stage-1. Specifically, as the extracted 
witnesses are well-defined by the statistically-binding Cw s, if the joint KEI property does not hold, 

(i) 

we directly extract by brute-force all witnesses w^s from Cw s from successful sessions, and then 
apply the assumed existing distinguishable relation R to violate the statistical WI of Stage-1. 

In more details, for any pair (so,si) in key-generation stage and for any auxiliary informa- 
tion z, Pt[R(SK,w, str) = 1] = i Pt[R(sq, id, str) = l\S/E uses sq in Stage-1 interactions in str] + 
lPv[R(si,w, 

str) = l\S/Eusessi in Stage-1 interactions in str], and Pi[R(SK' , w, str) = 1] = ^ Pr[i?(so, w, str) = 
1\S/E uses s\ in Stage-1 interactions in sir]+i Pi[R(si,w, str) = 1\S/E uses sq in Stage-1 interactions]. 
Suppose the KEI property does not hold, it implies that there exists a bit a S {0, 1} such that the dif- 
ference between Pi[R(s a , w, str) = l\S/E uses so in Stage-1 interactions in str] and Pi[R(s a , w, str) = 
1\S/E uses s± in Stage-1 interactions in str] is non-negligible. Now, we can incorporate the (s a ,R) 
into a brute- force algorithm in order to break the statistical WI of Stage-1. Further details are 
omitted here. Note that the KEI property holds against any (not necessarily polynomial-time com- 
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putable) relation R. That is, the protocol depicted in Figure [T] is of statistical CKE. □ 
6.2 On the essential role of Strong WI 

We remark that, with respect to the above generic CZK-CKE implementation depicted in Figure HJ 
the SWI at Stage-3 plays an essential role for achieving CZK and CKE properties simultaneously. 
In particular, we note that regular WI is insufficient here. On the one hand, we do not know how to 
prove the CZK property in general, when SWI is replaced by a regular WI; On the other hand, as 
ZK is itself SWI, one may consider to use a special ZK (e.g., the FSZK which composes two regular 
WI sub-protocols) to replace SWI of Stage-3 such that the special ZK can share the regular WI of 
Stage- 1 in the public-key model, and thus we only use regular WIPOK at Stage-3. This in particular 
implies a round-optimal (i.e., four-round) implementation by according round combinations. But, 
such solution loses the CKE property and even concurrent soundness in general in the public-key 
model (see the concrete attack to FSZK in the public-key model [75]). That is, in the security 
analysis of the SWI-based generic CZK-CKE implementation, we will rely on the argument/proof 
of knowledge of SWI in the plain model that is not affected by concurrent composition in the plain 
model. If we replace the SWI by a ZK protocol in the BPK model, then we may require the ZK 
protocol has already been CKE-secure, which however is our goal here. 

Still, in next section, we consider more efficient CZK-CKE implementations based on regular WI. 
But the situation with such solutions turns out to be much subtler. 

7 Efficient CZK-CKE in the BPK Model 

In this section, we present the efficient constant-round CZK-CKE arguments for MV in the BPK 
model, and the practical instantiations. The efficient CZK-CKE protocols rely on some minor com- 
plexity leveraging, in a novel way, to frustrate potential concurrent MIM. Along the way, we discuss 
and clarify the various subtleties. 

Recall that for the generic CZK-CKE implementation presented in Section [6] the strong WI at 
Stage-3 plays an essential role for the provable security. But, employing strong WI complicates the 
protocol structure, and incurs protocol inefficiency. It would be desirable to still use regular WI 
at Stage-3, for conceptual simple protocol structure as well as for protocol efficiency. To bypass 
the subtleties of SWI for the CZK proof, we employ a double-commitments technique. Specifically, 
we require the prover to produce a double of statistically-binding commitments, c w and c s k, before 
starting the second WI sub-protocol, where c w is supposed to commit to a valid A^P-witness for 
x € L and c s k is supposed to commit to the preimage of either yo or y\ . Double commitments can 
bypass, by hybrid arguments, the subtleties of SWI for the CZK proof. But, the provable CKE 
property with double commitments turns out to be much subtler, and we have to employ (some 
minimal) complexity leveraging, in a novel way, to frustrate potential CMIM adversarial strategies. 
This renders us an efficient, as well as conceptually simple, CZK-CKE solution, which can be further 
high practically instantiated for some number-theoretic languages. 

The generic construction is depicted in Figure [2] page [23] (as the construction is for MV via 
NV-r eduction, we do not explicitly describe the language-selecting machine A4 in the protocol 
specification). 

Note on efficiency. Though we employ double commitments at Stage-2, the strong WIA/POK 
of Stage-3 in the generic construction is replaced by any regular WIA/POK here, from which we can 
gain much better efficiency advantage. In particular, as we shall see, the efficient construction can 
be high practically instantiated. It's also easy to see that the implementation can be round-optimal 
by round combinations. 

Notes on the complexity leveraging. We remark that complexity leveraging via the sub- 
exponential hardness assumption on verifier's public-key is only for provable security analysis to 
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Key Generation. Let / : {0, 1}™ — > {0, 1}™ be any OWF secure against 2" -time adversaries for some 
constant c, < c < 1, where 1™ is the system security parameter. Each verifier V selects random strings 
so, s\ from {0,1}™, randomly selects a bit b <— {0,1}, computes yt, = f{sb) and sets yi-b = /(sx-b). V 
registers PK = (yo,2/i) in a public file F as its public- key, and keeps SK = Sb as its secret- key. Define 

Rkey = {((yo,yi),a)li/o = /(a) V % = f(s)} 

Common input. An element x G L PI {0, l}P oZ f( n ). Denote by i?L the corresponding A/""P-relation for L. 

P private input. An A/'P-witness w G {0, 1}J 3 °^(") for x E L. Here, we assume w.l.o.g. that the witness 

for any i 6 L fl {0, i }p°M") j s f the same length poly(n). 

Complexity leveraging. The system parameter is n, but the statistically-binding commitment c s fc is 
generated on a relatively smaller security parameter n sk . Specifically, suppose the one-wayness of verifier's 
public- key holds against 2™ -time adversaries for some constant c, < c < 1. Let A be any constant such 
that A > -, then we set n — n* k . Note that n and n sk are still polynomially related. That is, any quantity 
that is a polynomial of n is also another polynomial of n sk . This complexity leveraging guarantees that 
although a poly(n) ■ 2™ sfc -time adversary can break the hiding property of c s k on a security parameter n sk , 
it is still infcasible to break the one-wayness of / (because poly(n) ■ 2" afc <2" ). 

Stage-1. V proves to P that it knows a preimage to one of yo,yi, by running a statistical WIA/POK 
protocol, in which V plays the role of knowledge prover. The witness used by V in this stage is s&. 

Stage-2. If V successfully finishes Stage-1, P does the following: it computes and sends c w = C(w,r w ) 
and c s k — C(0 ra ,r s fc), where C is a statistically-binding commitment scheme and r w and r sk are the 
randomness used for commitments. c sk is generated on the smaller security parameter n sk specified 
above. 

Stage-3. Define a new A/""P-language V = {(x, yo, J/i, c w , c s fc)|(3(u;, r w ) s.t. c w = C(w,r w ) A (x,w) G 
R L ) V (3(w,r sk ,b) s.t. c sk = C(w,r sk ) A y b = f(w) Abe {0,1})}. Then, P proves to V that it 
knows a witness for (x, yo,yi,c w , c s k) G L', by running a (3-round) WI argument /proof of knowledge 
(WIA/POK) protocol for MV (e.g., the ^-parallel repetition of Blum's protocol for DHC). 

Figure 2: The efficient CZK-CKE argument (P, V) for NV in the BPK model 

frustrate concurrent MIM. Both CZK simulation and CKE knowledge-extraction are still polynomial- 
time. We note that the use of complexity leveraging for frustrating concurrent MIM could be a novel 
paradigm, different from the uses of complexity leveraging in existing works for protocols in the BPK 
model (e.g., [H]). Such paradigm can also be applied to other scenarios to frustrate potential concur- 
rent MIM, while still providing polynomial-time simulation and/or knowledge-extraction. Note also 
that the complexity leveraging is minimal: it only applies to c s k and all other components of the pro- 
tocol work on the general system parameter n; also, all components except for verifier's public-keys 
can be standard polynomially secure. Furthermore, as we shall see, the complexity leveraging can 
be waived as long as only concurrent soundness is concerned. We remark that though non-standard, 
sub-exponential hardness assumption may still be viewed to be reasonable, which is also used in a 
large body of works for fulfilling various cryptographic tasks. Detailed discussions and clarifications 
of the use of complexity leveraging for frustrating concurrent MIM can be found in Section 17.21 

On the necessity of double commitments c w and c sk . We stress that in the context of 
the above protocol structure of efficient CZK-CKE, mandating double commitments c w and c s k of 
Stage-2 plays a very crucial role for simultaneously achieving CZK and CKE in the public- key model. 
On the one hand, for protocol variants without either c w or c s k, concrete attacks exist, showing that 
they are not concurrently knowledge-extr actable. Details are presented in Section f7.3| On the other 
hand, double commitments enable us to bypass the need of strong WI of Stage-3 for correct CZK 
simulation. Specifically, by employing double commitments the CZK simulation is not based on 
the strong WI property of Stage-3, and it is shown that regular WI is sufficient for correct CZK 
simulation by hybrid arguments. 
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7.1 Security analysis 

Notes on the underlying hardness assumptions and round-complexity. First note that 
except for sub exponential hardness assumption on the OWF / used in key generation, all other 
components in our solution can be standard polynomially secure. We note that if the OWF / admits 
perfect/statistical S-protocols (and thus we can use So_r in Stage-1), the protocol depicted in Figure 
[2] can be based on any sub-exponentially strong OWF admitting perfect/statistical ^-protocols, and 
be of optimal (i.e., 4-round) round-complexity by round combinations; If we use in Stage-1 the 
modified Blum's protocol for DHC with constant-round statistically/perfectly hiding commitments, 
the protocol depicted in Figure [2] can be based on any collision-resistant hash function and any 
sub-exponentially strong OWF with optimal round-complexity, or based on any sub-exponentially 
strong claw-free collection (with efficiently recognizable index set) but with 5 rounds. In the later 
case (with modified Blum's protocol for DHC), we can use any sub-exponentially strong OWF for 
key generation. 

Theorem 7.1 The protocol depicted in Figure is concurrently knowledge- extractable concurrent 
ZK argument for MV in the BPK model. 

Proof (sketch). The completeness of the protocol {P, V) can be easily checked. 
Concurrent zero-knowledge. 

We first consider a mental simulator M that takes as input all secret-keys corresponding to all 
public-keys registered in the public-key file, in case the corresponding secret-keys exist. 

For any s(n)-concurrent malicious verifier V* (defined in Section [3|) and any ATP-language L, M 
runs V* as a subroutine on inputs x = {x\, ■ ■ ■ ,x s r n \} G (where X{ might equal Xj, 1 < i,j < 

s(n) and i ^ j), the public file F = {PK\, ■ ■ ■ ,PK s r n \} and all assumed existing secret-keys. M 
works just as the honest prover does in Stage-1 of any session. In Stage-2 of any session on a common 
input Xi and with respect to a public-key PKj (i.e., the i-th session w.r.t PKj, 1 < i,j < s ( n ))> M 
computes cy = C(QP oly<yn \ r$) and = C(SKj,r®), where SKj is the secret-key corresponding 
to PKj for which we assume it exists and M knows. Then, M runs the WIA/POK protocol with 
V* in Stage-3 of the session with (SKj,r^) as its witness. 

To show the output of M is indistinguishable from the view of V* in real concurrent interactions, 
we consider another mental simulator M ! . M' takes both the witnesses for x = {xi, • • • ,x s ^ n ^ } and 
all the secret-keys corresponding to public-keys registered in F (in case the corresponding secret-keys 
exist). M' works just as M does, but with the following exception: for any i, j, 1 < i,j < s(n), in 

Stage-2 of the i-th session on common input Xi w.r.t PKj, M' computes c$ = C{wi, Vw), where Wj 
is the witness for the common input Xj. Note that the witness used by M' in Stage-3 is still SKj, just 
as M does. That the output of M' is indistinguishable from that of M is from the computational 
hiding property of the statistically-binding commitment scheme C used in Stage-2. Otherwise, by a 
simple hybrid argument, we can violate the hiding property of the underlying commitment scheme 
C. 

We now consider another mental simulator M" that mimics M' with the following exception: for 
any i, j, 1 < i,j < s(n), in Stage-3 of the i-th session on common input Xi w.r.t PKj, the witness 
used by M" is Wi, rather than SKj as used by M'. By hybrid arguments, the output of M" is 
indistinguishable from that of M 1 by the WI property of Stage-3. Also, by hybrid arguments, the 
output of M" is also indistinguishable from the view of V* in real concurrent interactions by the 
computational hiding property of the underlying commitment scheme C used in Stage-2. 

This establishes that the output of M is indistinguishable from the view of V* in real concurrent 
interactions. To build a PPT simulator S from scratch, where S does not know any secret-keys 
corresponding to public-keys in the public file, we again resort to the technique developed in |llj . 
Specifically, S works in s(n) + l phases. In each phase, S either successfully finishes the simulation, or 
"covers" a new public-key for which it has not known the corresponding secret-key up to now in case 
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V* successfully finishes the Stage- 1 interactions w.r.t. that public-key. Key covering is guaranteed 
by the POK property of Stage-1 interactions. For more details, see 
(Statistical) concurrent knowledge-extraction. 

According to the CKE formulation, for any s-concurrent malicious prover P* (defined in Section 
[2]) we need to build two algorithms (S,E). The simulator S, on inputs (l n ,z), works as follows: It 
first perfectly emulates the key-generation stage of the honest verifier, getting PK = (yo,Ui) and 
SK = si, and SK' = si_{, for a random bit b. Then, S runs P* on (l n ,PK, z) to get (Rl,t), 
where Rl indicates an ./VP-language for which the proof-stages will work and r is some auxiliary 
information to be used by P* in proof-stages. In the proof stages, S perfectly emulates the honest 
verifier with the secret-key SK. Finally, whenever P* stops, S outputs the simulated transcript str, 
together with the state information sta set to be (PK, SK, SK' , z) and the random coins used by S. 
Note that the simulated transcript str is identical to the view of P* in real execution. 

The knowledge-extraction process is similar to that of [67] . Note that we need to extract witnesses 
to all accepting sessions in str. Given (str, sta), the knowledge-extractor E iteratively extracts 
witness for each accepting session. Specifically, for any i, 1 < i < s(n), we denote by Ei the 
experiment for the knowledge-extractor on the i-th session. Ei emulates S with the fixed random 
coins included in sta, with the exception that the random challenge (i.e., the second-round message) of 
the WIA/POK protocol of Stage-3 in the i-th session is no longer emulated internally, but received 
externally. The experiment Ei amounts to the execution of the WIA/POK protocol of Stage-3 
between a stand-alone (deterministic) prover and an honest verifier on common input X{. Suppose 
the i-th session w.r.t. common input x, is accepting (note that otherwise we do not need to extract a 
witness and the witness is set to be "-L"), by applying the stand-alone knowledge-extractor (for the 
underlying WIA/POK) on Ei, according to the POK property of the underlying WIA/POK protocol 
(say, the n-parallel repetition of Blum's protocol for DHC) except for the probability 2~" we can 
extract (w{,ri) in expected polynomial-time, satisfying one of the following: 

Case-1. c£2 = C(wi,ri) and y%-b = f(wi), where cQ and c$ are the double statistically-binding 
commitments sent at the Stage-2 of the i-th session, and SK = Sb- 

Case-2. c^j = C(wi,ri) and y b = f(wi). 

Case-3. c$ = C(wi,ri) and (xi,Wi) € Rl- 

Case-1 can occur only with negligible probability, due to the one-wayness of /. Specifically, 
consider that is given to the simulator as input, rather than being emulated internally. 

The subtle point here is: by applying the stand-alone knowledge-extractor on Ei, the Stage-1 
interactions given by the simulator/extractor would also be rewound, which could reveal the secret- 
key SK. In particular, recall the adversarial strategies presented in Section HI Here, it is the critical 
combination of complexity leveraging on the statistically-binding commitment c s )~ and the statistical 
WI of Stage-1 that provably rules out such concurrent interleaving and malleating attacks. 

Proposition 7.1 Case-2 occurs with negligible probability. 

Proof (of Proposition I7.ip . Suppose Case-2 occurs with non-negligible probability, this means 
that for some (so,si,b), where so,s\ G {0,1}™ and b G {0,1}, such that when the simulator S uses 
Sb as the witness for simulating Stage-1 interactions, with non-negligible probability p(n), the c fl in 
the simulated transcript str outputted by S is a commitment of s&. Otherwise, Case-2 will trivially 
occur with negligible probability. But, due to the statistical WI of Stage-1, with the same probability 
p(n) the c^l in the simulated transcript str outputted by S, when it uses si_& as the witness for 

(i) 

simulating Stage-1 interactions, is still a commitment of Sb- Note that the value committed in c / 
can be brute-force extracted in time poly(n) ■ 2 Usk <C 2™ c . Now, suppose yb = f{sb) is given to the 
simulator as input externally, and y\-b an d Stage-1 interactions are simulated by the simulator (with 
s\^b as the witness), this implies that there exists an algorithm that can break the one-wayness of 
yb in poly(n) ■ 2™ sfe <C 2" c -time, which violates the sub-exponential hardness of yb- 
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On the subtleties without the complexity leveraging. We remark that the uses of the 
complexity leveraging on c s k, along with statistical WI of Stage-1, not only provably rules out Case-2, 
but also greatly simplifies the proof of Proposition [77TJ In particular, we do not know how to provably 
prove Proposition 17. II without the complexity leveraging. Detailed clarifications of the subtleties are 
presented in Section 17.21 which in particular implies that the efficient CZK-CKE protocol depicted 
in Figure [2] is concurrently sound under standard polynomial-time hardness assumptions. □ 

By removing Case-1 and Case-2, we conclude now that for any i, 1 < i < s(n), if the i-th session 
in str is accepting w.r.t. common input Xi selected by P*, then E will output a witness Wi for 
Xi £ L. To finish the proof, we need to further show that knowledge-extraction is independent of 
the secret-key used by the simulator /extractor (i.e., the joint KEI property). Specifically, we need 
to show that Pr[R(SK, w, str) = 1] is negligibly close to Pr[R(SK' , w, str) = 1] for any polynomial- 
time computable relation R, where w is the list of extracted witnesses (when the simulator/extractor 
uses SK as the witness in Stage-1 interactions in str) and SK' is the element (outputted by S 
in accordance with Expt CKE (l n , z)) randomly and independently distributed over the space of SK. 
The joint KEI property is direct from the statistical WI of Stage-1. Specifically, as the extracted 

(i) 

witnesses are well-defined by the statistically-binding c w s, if the joint KEI property does not hold, 

(i) 

we directly extract by brute- force all witnesses w^s from Cw s of successful sessions, and then apply 
the assumed existing distinguishable relation R to violate the statistical WI of Stage-1. 

In more details, for any pair (so> s i) i n key-generation stage and for any auxiliary informa- 
tion z, Pr[R(SK,w, str) = 1] = ^ Pr[i?(so, w, str) = l\S/E uses so i n Stage-1 interactions in str] + 
±Pr[R( Sl ,w, 

str) = 1\S/E uses s\ in Stage-1 interactions in str], and Pi[R(SK', w, str) = 1] = | Pr[i?(so, w, str) = 
1\S/E uses s\ in Stage-1 interactions in sir]+i Pr[i?(si, w, str) = 1\S/E uses so i n Stage-1 interactions]. 
Suppose the KEI property does not hold, it implies that there exists a bit a £ {0, 1} such that the dif- 
ference between Pi[R(s a , w, str) = l\S/E uses so i n Stage-1 interactions in str] and Pr[i?(s a , w, str) = 
1\S/E uses s\ in Stage-1 interactions in str] is non-negligible. Now, we can incorporate the (s a ,R) 
into a brute- force algorithm in order to break the statistical WI of Stage-1. Further details are 
omitted here. Note that the KEI property holds against any (not necessarily polynomial-time com- 
putable) relation R, that is, the protocol depicted in Figure [2] is of statistical CKE. □ 

7.2 On the subtleties without the complexity leveraging 

In this section, we clarify the subtleties and justify the necessity of the (minimal) complexity leverag- 
ing on c s k with the efficient CZK-CKE. We first give high-level discussions on the use of complexity 
leveraging against (concurrent) men-in-the-middle; Then, we make in-depth clarifications by attempt- 
ing to provide a proof of Proposition 17.11 without the complexity leveraging on , which identifies 
the subtleties or difficulties that seemingly cannot be overcome without exploiting the complexity 
leveraging on c s k (and also the statistical WI of Stage-1). 

7.2.1 On the use of complexity leveraging against man-in-the-middle 

Recall that, for the generic CZK-CKE (depicted in Figure [T|), to successfully finish the i-th session 
with commit-then-SWI mechanism, for any i, 1 < i < s(n), an s-concurrent adversary P* has to 
use the value committed to (determined by) the unique Stage-2 commitment as the witness in 
Stage-3 SWI. But, for the efficient CZK-CKE, P* however has double choices: it can use either the 

(i) (i) 

value committed to c s l or the value committed to c w , as the witness in Stage-3 regular WI. We 
consider two potential adversarial strategies: 

Adversarial-Strategy-1. P* commits a valid witness w (for xi € L) to g$ , and commits a secret- 
key, say sq, to c5 in Stage-2 of the i-th session (possibly by malleating verifier's public-keys into 
Xi and c£2)j where x-i is the common input adaptively selected by P* for the i-th session; Then, 
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possibly by malleating the Stage-1 concurrent interactions, P* always uses the valid witness w 
in Stage-3 of the i-th session in case the honest verifier V uses s± as the witness in Stage-1 
interactions (note that w could be maliciously related to s\ as well, as the common input X{ is 
selected by P*), but uses so as the witness in Stage-3 with non- negligible probability in case V 
uses so as the witness in Stage-1 interactions. 

Adversarial-Strategy-2. With non-negligible probability p, P* commits so (resp., s\) to i n 

Stage-2 of the i-th session (again, possibly by malleating verifier's public-keys into c^}); Then, 
possibly by malleating the Stage-1 concurrent interactions, P* successfully finishes Stage-3 of 
the session with so (resp., si) as the witness, in case V uses so (resp., si) as the witness in 
Stage-1 interactions; However, with the same probability p, P* commits both a valid witness 
w to and sq (resp. s\) to c^l in Stage-2 of the session, and successfully finishes Stage-3 
with w as the witness in case V uses s\ (resp., sq) as the witness in Stage-1 interactions. 

Note that the concurrent malicious prover P* actually amounts to a concurrent MIM who man- 
ages, by concurrent interleaving interactions, to malleate verifier's public-keys and Stage-1 inter- 
actions (in which it plays the role of the verifier) into successful Stage-2 and Stage-3 interactions 
(in which P* plays the role of the prover), but without knowing any witness for the Stage-2 and 
Stage-3 interactions. Note that both the above two cases indicate the failure of knowledge-extraction 
correctness: that is, with non-negligible probability, the value extracted (when using SK = Sb for a 
random bit b) is the preimage of yo or y\ committed to c^). But, no contradiction can be reached 
without resorting to the complexity leveraging. In particular, they do not violate the statistical WI 
of Stage-1: in the first case, the value committed to c s l is fixed; and in the second case, with prob- 
ability 2p, the value committed to is Sf, for both b € {0, 1}, no matter which secret-key (whether 
so or si) is used in Stage-1 interactions. As we do not employ any non-malleable building tools and 
we are actually facing a concurrent MIM P* , the above MIM adversarial strategies could indeed be 
potential. At least, we do not know how to provably rule out such seemingly impossible adversarial 
activities, without resorting to the complexity leveraging. 

We note that the use of complexity leveraging for frustrating concurrent MIM could be a novel 
paradigm, different from the uses of complexity leveraging in existing works (e.g., I74j). Such 
paradigm may be possibly of independent interest, and can be applied in other scenarios to frus- 
trate potential concurrent MIM, while still providing polynomial-time simulation and/or knowledge- 
extraction as well as remaining the protocol efficiency and conceptual simple protocol structure. Note 
also that the complexity leveraging is minimal: it only applies to c s t, and all components except for 
verifier's public-keys can be standard polynomially secure. 

7.2.2 Analysis attempt without complexity leveraging 

In this section, by attempting to provide a proof of Proposition 17. II without the complexity leveraging 
on c s k, we clarify the subtleties or difficulties that seemingly cannot be overcome without exploiting 
the complexity leveraging on c s k (and also the statistical WI of Stage-1). The analysis in particular 
implies that the efficient CZK-CKE protocol depicted in Figure [2] is concurrently sound under stan- 
dard polynomial-time hardness assumptions and that partial witness independent WI (employed in 
the works of |24| [20], [2Tj ) seems to be insufficient even for correct knowledge-extraction for individual 
statements. In the following security analysis, we assume no complexity leveraging on c s k, i.e., veri- 
fier's public-keys are standard polynomially secure and c s k is formed on the same system parameter 
n. 

We consider two experiments: £q and £\. For each [i € {0, 1}, £n mimics the experiment E{ 
(specified in the security analysis in Section I7TT1) . with the following exceptions: £ M uses s M as its 
witness in Stage-1 interactions (note that (so> s i) is included in sta); and the coins used by £ iJL 
for internal emulation of the proof stages are randomly and independently chosen (i.e., they are 
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independent of the coins included in sta); The coins for the first-stages of V and P* are still those 
fixed in sta, with respect to which we suppose Case-2 will occur with non-negligible probability. 
Suppose Case-2 occurs with non-negligible probability, then there must exist a bit fj, such that 
applying the (stand-alone) knowledge-extractor on S^ will output the preimage of y M with non- 
negligible probability. Otherwise, Case-2 will trivially occur with negligible probability. Without 
loss of generality, we assume \x = 0. That is, the knowledge-extractor on So outputs the preimage 
of yo with non-negligible probability (and outputs the preimage of y\ with negligible probability 
due to the one-wayness of /). Now we consider the output of the knowledge-extractor on £\\ first, 
it outputs the preimage of yo also with negligible probability; thus, with non-negligible probability 
(as we assume Case-2 occurs with non-negligible probability and Stage- 1 interactions are WI), the 
knowledge-extractor on £\ outputs either the preimage of y\ or the witness for some x £ L where x 
is the common input of the i-th session in S\ . Note that x is not necessarily the same X{ in Ei as the 
coins used by £ ti are not the same as those of Ei. 

Note. Here, we cannot directly conclude that the knowledge-extractor on £\ will certainly 
output the preimage of y\ with non-negligible probability, as we cannot rely on the assumption that 
x £ L. This point complicates the security analysis, and is one underlying reason for requiring the 
complexity leveraging. 

Now, we want to contradict the statistical WI property of Stage- 1. We define a series of hybrid 
mental experiments H±, ■ ■ ■ , H s ^ as follows: for any k, 1 < k < s(n), Hf. mimics the behavior of £o 
but with the following exceptions: In Stage- 1 of the first k sessions uses s\ as its witness; and in 
Stage- 1 of the rest s(n) — k sessions it uses so as the witness. Note that Hq equals the experiment £$, 
and H s r n ) equals the experiment £\. As we assume that the (stand-alone) knowledge-extractor on 
Hq(= So) will output the preimage of yo with non-negligible probability (but output the preimage 
of yi with negligible probability), and that the knowledge-extractor on H s r n \(= Si) will output 
either a preimage of y\ or a witness for some x € L with non-negligible probability (but output the 
preimage of yo only with negligible probability). By hybrid arguments, we conclude that there must 
exist a k, 1 < k < s(n), such that the knowledge-extractor on i/fc-i outputs the preimage of yo 
with non-negligible probability and the knowledge-extractor on outputs the preimage of yo with 
negligible probability (and outputs the preimage of y\ or a witness for some x £ L with non-negligible 
probability). Recall that, in all the experiments, the (stand-alone) knowledge- extractor is to extract 
the knowledge for the statement whose validity was successfully conveyed in the i-th session. Then 
we attempt to break the statistical WI property or Stage-1, by considering another experiment B. 

B mimics with the following exceptions: The Stage-1 interactions of the fc-th session are no 
longer emulated internally, but interacting externally with an external knowledge-prover P^ who uses 
sg as the witness for a random bit 5. Note that, if P^ uses s\ as its witness then the experiment B is 
identical to H^, and if Pk uses sq as its witness then B is identical to H^-i- Now, we consider two 
cases: 

Case-2. 1. The external interactions with P^ have finished before the sending of the random challenge 
(i.e., the second-round message) of Stage-3 of the i-th session. 

Case- 2. 2. The external interactions with P% have not finished on the sending of the random challenge 
of Stage-3 of the i-th. session. Note that the concurrent interleaving and malleating attack 
described in Section [4.21 is just a demonstration of this case. 

If Case-2. 1 occurs, we break the WI property of Stage-1 as follows: Note that in this case, 
applying the stand-alone knowledge-extractor on (the i-th session in) B does not incur rewinding 
the interactions with P^. We can combine the stand-alone knowledge-extractor and the internal 
emulation of B into a stand-alone (expected polynomial-time) knowledge-verifier interacting with 
Pfc. If the knowledge-extractor outputs the preimage of yo, then we also output 0; in any other case, 
we output a random bit. According to the above hybrid arguments, if Pk uses so as its witness, then 
we will output with probability that is non-negligibly bigger than 1/2; on the other hand, if P/. 
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uses s\ as its witness, then we will output with probability negligibly close to 1/2. Furthermore, 
using Markov's inequality, standard technique (as is done in [651 [73]) shows that: if the WI property 
holds w.r.t. any strict polynomial-time algorithm it also holds with any expected polynomial-time 
algorithm. This contradicts the WI property of the underlying protocol. Note that computational 
WI of Stage- 1 is sufficient for ruling out Case-2.1. 

If Case-2.2 occurs, we further distinguish two cases according to the output of the knowledge- 
extractor on H^. Recall that we have assumed that the output of the knowledge-extractor on 
is the preimage of yo only with negligible probability, and the output of the stand-alone knowledge- 
extractor on Hk-i is the preimage of yo with non-negligible probability. 

Case-2.2.1. With negligible probability the output of the (stand-alone) knowledge-extractor on 

is si (i.e., the output is always a witness for some x € L of the i-th session in H^)- This case 
can be partially illustrated by the Adversarial-Strategy- 1 demonstrated in Section [7.2.11 

Note. It is easy to see that, suppose the common input x of the i-th session in is false, i.e., 
x $l L, then Case-2.2.1 can appear at most with negligible probability. We note that partial 
witness independent WI (employed in the works of [241 [20[ [2T] ) seems to be insufficient even 
for correct knowledge-extraction for individual statements (recall that our CKE formulation is 
w.r.t. joint knowledge-extraction for all statements whose validity was successfully conveyed 
in the concurrent sessions). This point was not addressed in existing works. In particular, 
with respect to the Adversarial-Strategy-1, in this case the knowledge-extractor will extract a 
secret-key sq with non- negligible probability when it simulates Stage- 1 interactions with sq as 
the witness, which indicates the failure of correct knowledge-extraction even for any individual 
statement. 

Case-2.2. 2. With non-negligible probability the output of the stand-alone knowledge-extractor on 
Hk is the preimage of y\. This case can be partially illustrated by Adversarial-Strategy-2 
demonstrated in Section 17.2.11 

Note. Again, suppose the common input x of the i-th session in Hf, is false, i.e., x £ L, then 
Case-2.2. 2 can appear at most with negligible probability. Otherwise, the value committed in 
c I indicates the secret-key used in Stage- 1 interactions. Recall that we have assumed that the 
output of the knowledge-extractor on is the preimage of yo only with negligible probability, 
and the output of the stand-alone knowledge-extractor on Hk~\ is the preimage of yo with 
non-negligible probability. Specifically, suppose the witness used for Stage- 1 interactions is s&, 
then the successful i-th session with cV committing to si-b occurs with negligible probability 
(conditioned on x £ L). This violates the statistical WI of Stage-1. 

Remark. Although it intuitively seems that Case-2.2 (in particular, the exemplifying adversarial 
strategies) could not occur with non-negligible probability, it (and particularly the exemplifying 
adversarial strategies presented in Section 17.2. ip could indeed be potential, as we do not employ any 
non-malleable building tools and we are actually facing a concurrent MIM. We do not know how to 
provably rule out such possibilities, without resorting to the complexity leveraging on c s k- 

7.3 On the necessity of double commitments 

To show the necessity of the double commitments c w and c s k used in Stage-2 of the efficient CZK- 
CKE protocol depicted in Figure [2j we demonstrate concrete attacks against variants of the protocol 
without either c w or c s k, where WIA/POK protocols are implemented by EoR-protocols. 

7.3.1 The attack against variant protocol without c w 

The variant protocol without c w , which amounts to the CZK protocols of [76, 20J, is re-depicted in 
Figure 131 (page 130]). 
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So^-based protocol variant without c w (P,V) 

Key Generation. Let / : {0, 1}" — ^ {0, 1}™ be any OWF where n is the security parameter. Each verifier 
V selects random strings so, si from {0, 1}™, randomly selects a bit b <— {0, 1}, computes — f(sb) and 
sets yi-b — f(si-b), V registers PK = (yo,Vi) in a public file F as its public-key, and keeps SK = Sb as 

its secret-key. ^ 

Common input. An element x E L(~l{0, l}P°'?H n ). Denote by Rl the corresponding ./VP-relation 
for L. 

P private input. An ./VP-witness w E {0, f or x E L. 

Stage- 1. V proves to P that it knows the preimage of either j/o ° r 2/i> by running a So_R-protocol 
on the input (yo>2/i) m which V plays the role of the knowledge prover. The witness used 
by V in this stage is s&. Denote by ay, ey,zy, the first-round, the second-round and the 
third-round message of the Eo_R-protocol, respectively. 

Stage-2. If V successfully finishes Stage-1, P does the following: it computes c s k = C(0™, r^), 
where C is a perfectly-binding commitment scheme and r s k is the randomness used for 
commitments. 

Stage-3. Define a new ./VP-language L' = {(x, yo, yi, c s k)\(3w s.t. (x,w) € Rl) V 
(3(u;,r s fe,fe) s.t. c s k = C(w,r s fc) A y b = f(w) A b G {0,1})}. Then, P proves to 1/ that 
it knows a witness for (x, yo; 2/1) c «fc) £ by running a Eo_R-protocol (i.e., the OR-proofs of 
S-protocols). The witness used by P is w such that (x,w) E P^. We denote by ap,ep,zp, 
the first-round, the second-round, and the third-round message of the Eo/j-protocol of this 
stage, respectively. 

Figure 3: So_R-based protocol variant without c w 

On the implementations of So/?- For the Eo^-based protocol variant depicted in Figure O 
to get statistical WI of Stage-1 there are two ways: In particular, we can require the underlying 
OWF / used in the key-generation stage admits per feet /statistical ^-protocols, and thus the £o.R 
of Stage-1 is perfect/statistical WI; In general, the variant of (the n-parallel repetition of) Blum's 
protocol for DHC, where the statistically-binding commitments used in the first round are replaced 
by the one-round statistically-hiding commitments based on collision-resistant hash functions, is a 
statistical S-protocol (as well as statistical WI argument) for J\fV, and thus can be applied to any 
MV language under the assumption of collision-resistant hash functions. 

Let L be any ./VP-language admitting a S-protocol that is denoted by Ti L {in particular, L can 
be an empty set). For an honest verifier V with its public-key PK = (yo,2/i), we define a new 
language L = {(x,yo,yi)\3w s.t. (x,w) € R L V 3(w,b) s.t. y^ = f(w) A b E {0,1}}. Note that for 
any string x (whether x E L or not), the statement u (x,yo,yi) E L" is always true as PK = (yo,yi) 
is honestly generated. Also note that L is a language that admits S-protocols (as £o#-protocol is 
itself a S-protocol). Now, we describe the concurrent interleaving and malleating attack, in which 
P* successfully convinces the honest verifier of the statement u (x,yo,yi) E L" for any arbitrary 
poly(n)-h\t string x {even when x E" L) by concurrently interacting with V in two sessions as follows. 

1. P* initiates the first session with V. After receiving the first-round message, denoted by a' v , of 
the £o.R-protocol of Stage-1 of the first session on common input (yo> yi) (i-e. 3 V's public-key), 
P* suspends the first session. 

2. P* initiates a second session with V, and works just as the honest prover does in Stage-1 and 
Stage-2. We denote by c s k the Stage-2 message of the second session (i.e., c s k commits to 



O n ). When P* moves into Stage-3 of the second session and needs to send V the first-round 
message, denoted by ap, of the So^-protocol of Stage-3 of the second session on common input 
(x,yo,yi,c s k), P* does the following: 

• P* first runs the SHVZK simulator of (i.e., the S-protocol for L) on x to get a 
simulated conversation, denoted by (a$,ex,z$), for the (possibly false) statement u x G 
L". Then, P* runs the SHVZK simulator of the underlying S-protocol for MV on 
(yoj 2/1) c s fe) to get a simulated conversation, denoted by (a s k, e sk , z s k), for the (false) state- 
ment "3(w, r sk , b) s.t. c sk = C(w, r sk ) Ay b = f(w) A b G {0, 1}" . 

• P* sets ap = (ax,a' v ,a sk ) and sends ap to V as the first-round message of the Sor- 
protocol of Stage-3 of the second session, where a' v is the one received by P* in the first 
session. 

• After receiving the second-round message of Stage-3 of the second session, denoted by ep 
(i.e., the random challenge from V), P* sets e' v = ep © e± © e sk and then suspends the 
second session. 

3. P continues the first session, and sends e' v = ep © © e sk as the second-round message of the 
So_R-protocol of Stage-1 of the first session. 

4. After receiving the third-round message of the Eop-protocol of Stage-1 of the first session, 
denoted by z' v , P* suspends the first session again. 

5. P* continues the execution of the second session again, and sends zp = ((e±, z x ), (e' v , Zy), (e sk , z sk )) 
to V as the last-round message of the second session. 

Note that (a x ,e x ,z x ) is an accepting conversation for the (possibly false) statement "x G L", 
(a' v ,e'y, z'y) is an accepting conversation for showing the knowledge of the preimage of either yo or 
yi, (a sk , e sk , z sk ) is an accepting conversation for the statement "3(ty, r sk , b) s.t. c sk = C(w, r sk )f\yb = 
f(w)Ab G {0, 1}" , and furthermore e^ffie'y ®e sk = ep. According to the description of Sor (presented 
in Section [2]), this means that, from the viewpoint of V, (ap, ep, zp) is an accepting conversation 
of Stage-3 of the second-session on common input (x,yo,yi). That is, P* successfully convinced V 
of the statement u (x,yo,yi) G L n (even for x ^ L) in the second session but without knowing any 
corresponding MV-witness. 

7.3.2 The attack against variant protocol without c sk 

The variant protocol without c sk is re-depicted in Figure [4] (page l32j) . 

Now, we describe the concurrent interleaving and malleating attack, in which P* successfully 
convinces the honest verifier of the statement "x G L" , for any n-bit string x and for any MV- 
language L, without knowing any A/'T'-witness by concurrently interacting with V in two sessions as 
follows. 

1. P* initiates the first session with V . After receiving the first-round message, denoted by a' v , of 
the SoR-protocol of Stage-1 of the first session on common input (yo, y\) (i.e., V's public-key), 
P* suspends the first session. 

2. P* initiates a second session with V, and works just as the honest prover does in Stage-1. 
In Stage-2 of the second session, P* sends c w = C(0 n ) (rather than C(w) as honest prover 
does). When P* moves into Stage-3 of the second session and needs to send V the first-round 
message, denoted by ap, of the So_R-protocol of Stage-3 of the second session on common input 
(x,yo,y±,c w ), P* does the following: 
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XoR-based protocol variant without c s k (P, V) 

Key Generation. Let / : {0, 1}" — > {0, 1}™ be any OWF, where n is the security parameter. Each verifier 
V selects random strings sq, si from {0, 1}", randomly selects a bit b <— {0, 1}, computes g/& = /(sf,) and 
sets yi-b — /(si_b). registers P.K" = (yo,yi) in a public file F as its public-key, and keeps SK = Sb as 

its secret-key. 

Common input. An element x £ LD {0, l} n . Denote by Rl the corresponding AAP-relation for 
L. 

P private input. An A/"P-witness w £ {0, l} n for x £ L. Here, we assume w.l.o.g. that the 
witness for any x £ L PI {0, 1}" is of the same length n. 

Stage- 1. V proves to P that it knows the preimage of either j/o ° r 2/1, by running a Eo/j-protocol 
on the input (f/o>2/i) in which V plays the role of the knowledge prover. The witness used 
by V in this stage is s&. Denote by ay,ey,2y, the first-round, the second-round and the 
third-round message of the £o_R-protocol, respectively. 

Stage-2. If V successfully finishes Stage- 1, P does the following: it computes c w = C(w,r w ), 
where C is a perfectly-binding commitment scheme and r w is the randomness used for 
commitments. 

Stage-3. Define a new A/'P-language V = {(x,yo,yi,c w )\(3(w,r w ) s.t. c w = C(w,r w ) A (x,w) G 
Rl) V (3(w,b) s.t. y b = f(w) A b £ {0, 1})}. Then, P proves to V that it knows a witness 
for (x, yo, yi, Cm) € L', by running a So_R-protocol. The witness used by P is (u;,7\„). We 
denote by ap,ep, zp, the first-round, the second-round, and the third-round message of the 
Epfi-protocol of this stage, respectively. 

Figure 4: Soj?-based protocol variant without c s k 

• P* first runs the SHVZK simulator of the underlying S-protocol for MV on common input 
(x,c w ) to get a simulated conversation, denoted by (fla;,^, z x ), for the (false) statement 
u 3(w,r w ) s.t. c w = C(w,r w ) A (x,w) £ Rl)" . 

• P* sets ap = (a x , a' v ) and sends ap to F as the first-round message of the Eoij-protocol 
of Stage-3 of the second session, where a' v is the one received by P* in the first session. 

• After receiving the second-round message of Stage-3 of the second session, denoted by ep 
(i.e., the random challenge from V), P* sets e' v = ep © e x and then suspends the second 
session. 

3. P continues the first session, and sends e' v = ep © e x as the second-round message of the 
So^j-protocol of Stage-1 of the first session. 

4. After receiving the third-round message of the So_R-protocol of Stage-1 of the first session, 
denoted by z' v , P* suspends the first session again. 

5. P* continues the execution of the second session again, and sends zp = ((e x ,z x ), (e'y,z' v )) to 
V as the last-round message of the second session. 

Note that (a x , e x , z x ) is an accepting conversation for the (false) statement "3(w,r w ) s.t. c w = 
C{w,r w ) A (x,w) £ Rl)" , (a' v ,e' v ,Zy) is an accepting conversation for showing the knowledge of 
the preimage of either yo or j/i, and furthermore e x © e' v = ep. According to the description of 
^OR (presented in Section [2]), this means that, from the viewpoint of V, (ap,ep, zp) is an accepting 
conversation of Stage-3 of the second-session on common input x. That is, P* successfully convinced 
V of the statement "x £ L" but without knowing any corresponding MP -witness. 
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7.4 Practical instantiations 



In the (round-optimal) practical instantiations of the efficient CZK-CKE protocol, the verifier uses 
the sub-exponentially secure DLP OWF in key-generation stage: f Ptqg (x) = g x mod p, where p and 
q are primes, p = 2q + 1 and \p\ = n, and g is an element of Z* of order q. We also assume the 
(standard polynomial-time) DDH assumption holds on the cyclic group indexed by (p,q,g) (i.e., the 
sub-group of order q of Z*). The admissible common input is x S Z* of order q and the corresponding 
witness is w £ Z q such that g w = x mod p. We remark that the parameters (p,g,g), specifying the 
fp,q, g and the admissible common inputs, are set outside the system. 

The statistical WIPOK of Stage- 1 is replaced by the T,or of Schnorr's basic protocol for DLP 
[68]. The perfectly-binding commitment scheme of Stage-2 is replaced by the DDH-based ElGamal 
(non-interactive) commitment scheme [29j (recalled in Section [2]). To commit to a value v 6 Z q , the 
committer randomly selects u,r € Z q , computes h = g u mod p and sends (h, g = g r ,h = g v h r ) as 
the commitment. 

For the practical E-protocol of Stage-3, by the E^R-technique we need the following two practical 
E-protocols: 

• A practical E-protocol that, given x,c w = (h,g,h), proves the knowledge of (w, r) such that 
x = g w mod p and g = g r mod p and h = g w h r mod p. 

• A practical E-protocol that, given yo,yi,c s k = (h,g s k,h s k), proves the knowledge (w,r) such 
that either i/q = g w mod p and g s k = g r mod p and h s k = g w h r mod p or y\ = g w mod p 
and g s k = g r mod p and h s k = g w h r mod p. 

Again, by the Eo/j-technique, if we have a practical E-protocol of the first type, then we can also 
have a practical E-protocol of the second type. Thus, to get the practical CZK-CKE implementation, 
all we need now is to develop a practical E-protocol of the first type. Based on the E-protocol for 
DLP [68], such E-protocol is described below. 

Common input: (p, q, g, x, h, g, h), where x, h, g, h are all elements of order q in Z*. 

Prover's private input: w,r E Z q such that x = g w mod p and g = g r mod p and h = g w h r 
mod p. 

Round- 1: The prover P randomly selects t £ Z q , computes ao = g mod p and a\ = h l mod p, 
sends (ao,ai) to the verifier V. 

Round- 2: V responds back a random challenge e taken randomly from Z q . 

Round-3: P computes zq = t + we mod q and z\ = t + re mod q, and sends back (zq, z\) to V. 

Verifier's decision: V accepts if and only if: g zo = a^x e mod p and g zi = a$g e mod p and 
h Zl = ai(h/x) e mod p. 

We give a brief analysis of the above E-protocol: 

Special soundness: From two accepting conversations w.r.t. the same Round-1 message, 
{(a , ai), e, (z ,zi)} and {(a , ai), e', (z' , z' x )}, we can compute w = and r = ^^h- 

Special HVZK: The SHVZK simulator S works as follows: on a given random challenge e € Z q , 
it randomly selects zq,z\ from Z q , then it sets ao = g z °x~ e and a% = g Zl g~ e = h zi (h/x)~ e . 

We remark that, although the above practical implementation is for specific number-theoretic 
language, it is indeed very useful in practical scenarios. 
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